StormBamboo compromised an ISP to manipulate DNS responses, redirecting software update requests to deliver malware instead of legitimate updates.
By targeting applications with insecure HTTP update mechanisms and bypassing digital signature verification, the threat actor successfully installed malware, including MACMA and POCOSTICK, on victim macOS and Windows systems.
It poisoned DNS records, redirecting traffic to a Hong Kong server for malware deployment via HTTP updates and establishing command-and-control channels.
Initial investigation indicated a compromised firewall, but the attack originated upstream at the ISP level. Disrupting ISP network components temporarily halted the poisoning, pinpointing the attack without identifying the compromised device.
Attackers leveraged DNS poisoning to redirect legitimate software update requests to malicious servers.
By manipulating DNS responses, they replaced genuine update files with malicious installers, exploiting insecure automatic update mechanisms in victim environments that required no user interaction, demonstrating a sophisticated abuse of existing software update protocols.
An attacker leveraged insecure software update mechanisms to deploy malware by compromising an Internet Service Provider (ISP) to manipulate DNS resolution and redirect update requests for a legitimate program (e.g., YoutubeDL).
The redirected update included a modified configuration file, triggering the download of a malicious package from the attacker’s server, which contained a backdoored version of the program (e.g., YoutubeDL.py) with malicious code injected for further compromise.
The malware initially downloads a PNG file containing either MACMA or POCOSTICK based on the operating system. MACMA, first documented in 2021, has undergone significant evolution, including a complete overhaul of its network protocol from a custom DDS implementation to the kNET protocol.
Volexity researchers have identified strong code similarities between the latest MACMA variant and the previously analyzed GIMMICK malware, suggesting a potential shared origin or development.
A malicious Chrome extension named RELOADEXT was deployed on compromised macOS devices by utilizing a custom installer to modify the Secure Preferences file, bypassing tamper protection.
RELOADEXT masquerades as an Internet Explorer compatibility tool but actually steals browser cookies. The attacker’s Google Drive credentials, along with encryption keys for stolen data, are embedded within the extension, obfuscated with additional layers beyond the default method.
StormBamboo, a highly skilled adversary, leveraged a compromised ISP to execute DNS poisoning attacks, redirecting software updates to malicious payloads that were previously attributed to DriftingBamboo, underscores the threat actor’s proficiency in exploiting insecure update mechanisms.
By intercepting DNS requests and substituting legitimate update servers with compromised infrastructure, StormBamboo successfully deployed a variety of malware targeting macOS, Windows, and network appliances.