StormBamboo: A Sophisticated Cyberespionage Threat Actor
New research from cybersecurity company Volexity has uncovered a highly sophisticated attack orchestrated by a Chinese-speaking cyberespionage threat actor known as StormBamboo. This threat actor targeted multiple software vendors by compromising an ISP and manipulating DNS responses to deliver malicious payloads alongside legitimate software updates for macOS and Microsoft Windows operating systems.
Understanding StormBamboo
StormBamboo, also identified by aliases like Evasive Panda, Daggerfly, or Bronze Highland, is a Chinese-aligned cyberespionage threat actor that has been active since at least 2012. The group has a history of targeting organizations globally, particularly those aligned with Chinese interests. Targets have included individuals in mainland China, Hong Kong, Macao, Nigeria, as well as governments in Southeast Asia, East Asia, the U.S., India, and Australia.
StormBamboo’s tactics involve compromising legitimate infrastructures with custom malware for both Microsoft Windows and macOS operating systems. They have employed techniques like watering hole attacks to compromise specific websites and supply chain attacks to discreetly infect systems with malware. Additionally, the group has shown the capability to target Android users.
ISP Compromised: Manipulating DNS Responses
In this recent attack, StormBamboo infiltrated an ISP’s infrastructure to control DNS responses from the ISP’s servers. By altering DNS responses, the threat actor directed systems requesting software updates to malicious payloads alongside legitimate files. While the specific method of compromising the ISP remains unknown, Volexity observed the ISP taking corrective actions that halted the DNS poisoning operation.
StormBamboo focused on altering DNS responses for various legitimate software update websites, highlighting the group’s intent to spread malware through disguised updates.
Abusing Legitimate Update Mechanisms
Multiple software vendors fell victim to StormBamboo’s attack. When users’ systems queried the compromised DNS server for updates, they were served genuine-looking software updates mixed with malicious payloads. One example involved the software 5KPlayer, which, upon update requests, was redirected to download a backdoored package containing MACMA for MacOS and POCOSTICK/MGBot for Microsoft Windows.
MACMA and POCOSTICK/MGBot are custom malware strains associated with StormBamboo, capable of keylogging, file theft, audio capture, and other nefarious activities. The attackers exploited insecure update workflows to distribute these malicious payloads.
Identifying Malicious Payloads
POCOSTICK (MGBot) and MACMA are advanced malware tools attributed to StormBamboo, with functionalities like keylogging, device fingerprinting, and data exfiltration. Interestingly, Google identified MACMA in watering hole attacks targeting visitors of Hong Kong websites, aligning with StormBamboo’s known tactics. Volexity also observed code similarities between MACMA and another malware family called GIMMICK, associated with the StormCloud threat actor.
In one instance, after compromising a macOS device, StormBamboo deployed a malicious Google Chrome extension to steal browser cookies, demonstrating the group’s persistent and evolving tactics.
Protecting Users from Cyber Threats
To mitigate the risks posed by cyber threats like StormBamboo, software vendors must enhance their update mechanisms. Volexity identified several insecure update processes in software like 5k Player, Quick Heal, Sogou, Rainmeter, Partition Wizard, and Corel. The recommended measures include enforcing HTTPS for update downloads, verifying SSL certificates, signing updates, and validating signatures before execution.
Companies can leverage YARA rules provided by Volexity to detect StormBamboo’s payloads and block the Indicators of Compromise shared by the company to strengthen their cybersecurity posture.
Disclosure: This article’s viewpoints are independent and do not represent Trend Micro.