Chinese hackers hijacked an ISP software update to spread malware

News
By
published

StormBamboo hijacked an ISP to push infected updates

Global Satellite System
(Image credit: Shutterstock)

Windows and macOS machines alike have been hit by malware after notorious Chinese hacker group StormBamboo used a compromised internet service provider (ISP) to target organizations with poisoned DNS responses.

StormBamboo used altered DNS query responses tied to automatic update mechanisms to target organizations that used insecure update mechanisms that did not properly validate the digital signatures.

The organizations’ applications would then search for updates, but instead of retrieving the update from the official site, they would instead download malware.

MACMA and POCOSTICK attacks

The StormBamboo campaign was first detected by Volexity in mid-2023, however it took some time for the attack vector to be identified, but mirrors a similar infection vector as a previous campaign attributed to DriftingBamboo.

In one incident, Volexity suspected the DNS poisoning was occuring at the target infrastructure level, but subsequent investigation revealed that the poisoning was occuring at the ISP level. Once the ISP was notified, they methodically rebooted systems and took components of the network offline, which caused the DNS poisoning to stop.

In order to push their malware onto target systems, StormBamboo would use the poisoned DNS to redirect HTTP requests to a command-and-control (C2) server that would supply a forged text file and malware installer instead of the legitimate software update. The forged text file replaces the legitimate text-based file that would typically contain the latest application version and an installer link requested via HTTP. The malware pushed by StormBamboo included MACMA and POCOSTICK.

StormBamboo used varying methods of this attack vector to target software vendors using insecure update workflows. HTTPS uses encryption and digital signatures to verify the authenticity of requests, making it far more secure than HTTP. Volexity provided guidance on defending against this particular attack vector, including a link to a set of rules used for detecting malicious activity, and and IOC block list.

More from TechRadar Pro

Benedict Collins
Benedict Collins
Staff Writer (Security)

Benedict has been writing about security issues for close to 5 years, at first covering geopolitics and international relations while at the University of Buckingham. During this time he studied BA Politics with Journalism, for which he received a second-class honours (upper division). Benedict then continued his studies at a postgraduate level and achieved a distinction in MA Security, Intelligence and Diplomacy. Benedict transitioned his security interests towards cybersecurity upon joining TechRadar Pro as a Staff Writer, focusing on state-sponsored threat actors, malware, social engineering, and national security. Benedict is also an expert on B2B security products, including firewalls, antivirus, endpoint security, and password management.