Threat actors were able to successfully compromise an unnamed internet service provider, poison the DNS responses for targeted organizations and infect their macOS and Windows systems with malware, according to new research from Volexity.
The Chinese espionage group behind the attacks (tracked by various researchers as StormBamboo, Daggerfly or Storm Cloud) is a “highly skilled and aggressive” actor. Researchers with Volexity said they observed several incidents starting in mid-2023 with malware linked back to the threat group. The infection vector in these attacks appeared to be the result of a DNS poisoning attack at the ISP level.
“Volexity determined that StormBamboo was altering DNS query responses for specific domains tied to automatic software update mechanisms,” said Ankur Saini, Paul Rascagneres, Steven Adair and Thomas Lancaster, researchers with Volexity in an analysis on Friday. “StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers.”
When applications retrieved their updates, malware would be installed. Researchers observed these attacks deploying the previously discovered Macma MacOS backdoor, which has various features like screen capture, audio recording, device fingerprinting and keylogging. Researchers also found MgBot (which they tracked as Pocostick) being spread in the attacks, which is another malware family that the threat group has used in previous attacks. MgBot is a modular framework with various plugins enabling network scanning, information stealing abilities for browsers like Chrome and Firefox and for the QQ chat tool, keylogging, password dumping and other espionage capabilities.
Researchers also observed various post-compromise activities, including the threat group deploying a malicious Google Chrome extension called RELOADEXT. The extension was installed via a custom binary, developed by the attacker, and exfiltrated browser cookies to a threat actor-controlled Google Drive account.
“The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances," said researchers.
The attack illustrates how threat actors can leverage DNS poisoning to abuse automatic update methods utilizing HTTP (instead of HTTPS). Another China-based threat actor, called DriftingBamboo, was also seen in 2022 using DNS poisoning attacks after exploiting zero-day flaws in Sophos firewalls (CVE-2022-1040).
StormBamboo has been around for at least a decade and was previously discovered targeting a telecommunications organization in Africa in a 2023 campaign that leveraged the MgBot malware. Most recently, the espionage group has updated its toolset in a number of recent attacks against organizations in Taiwan, as well as a U.S. non-governmental organization in China.