Jump to content
  • Chinese Hackers Deliver Malware via ISP-Level DNS Poisoning

    aum

    • 168 views
    • 2 minutes
     Share


    • 168 views
    • 2 minutes

    Chinese group StormBamboo spotted delivering Windows and macOS malware by compromising an ISP and using DNS poisoning.

     

    Threat intelligence and incident response firm Volexity has shared details on attacks in which a threat actor linked to China used ISP-level DNS poisoning in order to deliver malware to targets.

     

    The operation was conducted by an APT tracked as StormBamboo, Evasive Panda, and StormCloud.

     

    Volexity has not shared any information on the targeted entities, but the threat actor is known for cyberespionage operations aimed at organizations in Asia.

     

    According to the cybersecurity firm, which started investigating the attacks in mid-2023, the attackers compromised an internet provider’s systems and performed DNS poisoning in order to deliver Windows and macOS malware through insecure automatic software update mechanisms.

     

    “Volexity determined that StormBamboo was altering DNS query responses for specific domains tied to automatic software update mechanisms. StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers. Therefore, when these applications went to retrieve their updates, instead of installing the intended update, they would install malware,” the security firm explained.

     

    Volexity worked with the targeted ISP to respond to the incident.

     

    “As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped. During this time, it was not possible to pinpoint a specific device that was compromised, but various components of the infrastructure were updated or left offline and the activity ceased,” Volexity said.

     

    The company saw StormBamboo delivering malware such as MacMa (CDDS), a macOS threat first spotted by Google in 2021. At the time it had been delivered to users in Hong Kong via watering hole attacks and a macOS zero-day vulnerability.

     

    In another case, Volexity saw StormBamboo deploying a malicious Chrome extension named Reloadext, which enables the exfiltration of email data.

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...