China-Linked Hackers Compromise ISP to Deploy Malicious Software Updates

Summary:
Evasive Panda, also known as Bronze Highland, Daggerfly, and StormBamboo, is a China-linked cyber espionage group active since at least 2012. In mid-2023, they compromised an unnamed ISP to deliver malicious software updates to target companies, showcasing their sophisticated tactics. Evasive Panda employs various backdoors, such as MgBot and Nightdoor, to collect sensitive information. Recently, they have also been linked to a macOS malware strain called MACMA, active since 2021.

Volexity confirmed that these attacks stemmed from a DNS poisoning attack at the ISP level. The threat actor altered DNS query responses for domains tied to automatic software updates, exploiting insecure mechanisms such as HTTP. This allowed them to deliver MgBot or MACMA based on the operating system. One attack involved deploying a malicious Google Chrome extension on macOS devices to exfiltrate browser cookies to a Google Drive account controlled by the adversary. Researchers noted that Evasive Panda intercepted DNS requests and used malicious IP addresses to exploit HTTP-based automatic update mechanisms. Volexity notified the affected ISP to address the DNS poisoning attack.

Security Officer Comments:
According to Volexity, the group is known for compromising third parties, like ISPs, to reach their intended victims. They use diverse malware payloads for macOS, Windows, and network appliances, indicating significant investment in their operations. Reports from ESET and Symantec over the past two years document Evasive Panda's use of MgBot in watering hole and supply chain attacks targeting Tibetan users. They also targeted an international NGO in China using MgBot delivered through legitimate application update channels like Tencent QQ.

Suggested Corrections:
To detect the malware used in this specific attack, Volexity recommends the following:

  • Use the rules provided here to detect related activity.
  • Block the IOCs provided here.

Link(s):
https://thehackernews.com/2024/08/china-linked-hackers-compromise-isp-to.html


https://www.volexity.com/blog/2024/...to-abuse-insecure-software-update-mechanisms/

Contact Us for Threat Assistance Back to Current Threats

Just Starting?



Contact LACyber for More Info



Current Active Cyber Threats