© 2024 CoolTechZone - Latest tech news,
product reviews, and analyses.

Chinese hackers spread malware via compromised ISP


Last year, a Chinese hacking group successfully compromised an internet service provider (ISP) in order to distribute malware via automatic updates.

In mid-2023 security analysts at Volexity detected and responded to multiple incidents involving systems that were infected with malware linked to StormBamboo, also known as Evasive Panda, Daggerfly, Bronze Highland and StormCloud.

Security researchers have revealed that the Chinese hacking group exploited insecure HTTP software update mechanisms of an undisclosed ISP that didn’t validate digital signatures of installers to deploy malware to Windows and macOS systems across the victim organizations’ networks.

This is how the hackers pulled it off. The attackers intercepted and modified victims’ DNS requests and poisoned them with malicious IP addresses. When these applications tried to install the latest updates, they instead downloaded and installed malware from StormBamboo’s command and control server.

The hacking group was able to infect both Windows and macOS systems with information-stealing malware known as MACMA, POCOSTICK and MGBot. Once the malware found its way to an organization’s network, the attackers installed a malicious Google Chrome extension called RELOADEXT, which allowed them to steal browser cookies and victim mail data.

According to Volexity, an adversary-in-the-middle attack is the most likely source of infection, where a malicious actor positions itself between communication channels to eavesdrop, intercept or manipulate data traffic.

“Volexity can now confirm this scenario in a real-world case and prove the attacker was able to control the target ISP’s DNS infrastructure in order to modify DNS responses in the victim organization’s network,” the security firm says.

Volexity notified and worked with the undisclosed ISP, who investigated various key devices on their network. As soon as the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped.

Security researchers remind us that StormBamboo remains a “highly skilled and aggressive threat actor” who compromises third parties to breach targeted victims. “The variety of malware employed in various campaigns by this threat actor indicates significant effort is invested, with actively supported payloads for not only macOS and Windows, but also network appliances,” they conclude.


Leave a Reply

Your email address will not be published. Required fields are marked