A Chinese hacking group, known as StormBamboo, has compromised an internet service provider (ISP) to distribute malware through automatic software updates. This cyber-espionage group, also called Evasive Panda, Daggerfly, and StormCloud, has been active since at least 2012, targeting organizations in China, Hong Kong, Macao, Nigeria, and various countries in Southeast and East Asia.
On Friday, cybersecurity researchers from Volexity revealed that StormBamboo exploited insecure software update mechanisms that did not verify digital signatures. This allowed the group to deploy malware on Windows and macOS devices instead of the intended updates.
They did this by intercepting and modifying DNS requests, directing them to malicious IP addresses. This method delivered malware from their command-and-control servers without needing user interaction.
"Volexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware. Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network. As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped," the researchers added.
For example, StormBamboo used 5KPlayer update requests to push a backdoored installer from their servers. Once the target's system was compromised, the hackers installed a malicious Google Chrome extension, ReloadText, which stole browser cookies and email data.
Volexity noted that StormBamboo targeted multiple software vendors with insecure update processes. The company worked with the ISP to investigate and resolve the issue, immediately stopping the DNS poisoning once the network components were rebooted.
In April 2023, ESET researchers observed StormBamboo using the Pocostick (MGBot) Windows backdoor by exploiting the update mechanism for Tencent QQ. In July 2024, Symantec found the group targeting an American NGO in China and several organizations in Taiwan with new Macma macOS and Nightdoor Windows malware versions.
Although the exact method was unclear, it was suspected to be a supply chain or adversary-in-the-middle attack.
This incident highlights the importance of secure update mechanisms to prevent such cyber-attacks.