Jump to content
Login new information ×
Login new information
  • Security & Privacy News

    China-based Evasive Panda hackers compromised an ISP to spread malware, report says

    aum

    By aum,
    Published Date:

    • 199 views
    • 2 minutes
     Share
    • 199 views
    • 2 minutes

     A China-based cyber-espionage group compromised an internet service provider (ISP) to spread malware in 2023, researchers said Friday, confirming a hunch expressed in an earlier report about the same operation.

     

    Analysts at Volexity said the hacking operation — known as Evasive Panda, Bronze Highland, Daggerfly and StormBamboo — was indeed undertaking “adversary in the middle” attacks in 2023 as it infected Mac and Windows systems. In such incidents, threat actors get between a device and an otherwise trusted server to deliver malicious code.

     

    Researchers at a different company, ESET, had attributed at least one malware infection to Evasive Panda in 2023 but could only speculate that it was an adversary-in-the-middle attack.

     

    Volexity said its analysis showed that Evasive Panda had compromised the target’s ISP and was poisoning DNS requests — the basic communications that help devices reach internet addresses.

     

    “Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network,” Volexity said. “As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped.”

     

    The attackers had used the disruption to serve up information-stealing malware known as MgBot or Pocostick (for Windows machines) and Macma (for MacOS devices). MgBot, in particular, has been a tool for Evasive Panda for more than a decade. ESET found MgBot used against China’s Tibetan population earlier this year.

     

    Volexity said that in the 2023 incidents it analyzed, certain apps would request updates but the users’ devices would get MgBot and Macma instead.

     

    “StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers,” Volexity said.

     

    Evasive Panda remains “a highly skilled and aggressive threat actor,” the researchers said, with a wide variety of malware at hand and “significant effort” invested in operations.

     

    Source

     Share
    Go to news

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.

    ×

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...