In mid-2023, the China-linked cyber espionage group Evasive Panda compromised an unnamed internet service provider (ISP) to distribute malicious software updates to target companies. This attack demonstrates the increasing sophistication of the group.
Evasive Panda, also known as Bronze Highland, Daggerfly, and StormBamboo, has been active since at least 2012. The group is known for using backdoors like MgBot (also called POCOSTICK) and Nightdoor (also known as NetMM and Suzafk) to collect sensitive data.
Recently, the group has been linked to a macOS malware strain called MACMA, which has been detected in the wild since 2021. The report last week highlighted StormBamboo’s aggressive tactics in compromising third parties, like ISPs, to breach their intended targets.
Evasive Panda employs a variety of malware in its campaigns, indicating significant investment in developing payloads for macOS, Windows, and network appliances. Public reports over the past two years have documented Evasive Panda’s use of MgBot in watering hole and supply chain attacks, particularly targeting Tibetan users.
One notable incident involved targeting an international NGO in Mainland China, with MgBot delivered through update channels of legitimate applications like Tencent QQ. Initially, it was speculated that the trojanized updates resulted from a supply chain compromise or an adversary-in-the-middle (AitM) attack. However, researcher confirmed the latter, revealing a DNS poisoning attack at the ISP level.
The threat actor altered DNS query responses for specific domains linked to automatic software updates, exploiting software with insecure update mechanisms, such as HTTP, or those lacking adequate integrity checks for installers. Researchers reported that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and manipulated responses for legitimate hostnames used as command-and-control (C2) servers.
These attacks abused insecure update mechanisms to deliver either MgBot or MACMA, depending on the operating system. Researcher notified the affected ISP to address the DNS poisoning attack.
In one instance, the attackers deployed a Google Chrome extension on a victim’s macOS device by modifying the Secure Preferences file. The extension purported to be a tool for compatibility mode with Internet Explorer but primarily aimed to exfiltrate browser cookies to a Google Drive account controlled by the adversary.
The latest versions of MACMA have shown similarities with another multi-platform malware called Gimmick, linked to a Chinese cyber espionage group known as Storm Cloud, which targets organizations across Asia. The researchers noted that attackers intercept DNS requests, poison them with malicious IP addresses, and exploit automatic update mechanisms that use HTTP rather than HTTPS.
To prevent falling victim, organizations should ensure that all software update mechanisms use secure protocols such as HTTPS and enforce integrity checks for installers. Additionally, regularly monitoring DNS traffic for anomalies and implementing DNS security extensions (DNSSEC) can help detect and mitigate DNS poisoning attempts.
It’s crucial to maintain updated security patches on all devices and collaborate with ISPs to ensure they are also following best security practices.