In a sophisticated cyber attack uncovered by security experts at Volexity, the Chinese hacker group known as Evasive Panda has successfully compromised an unnamed internet service provider (ISP) to distribute malware through automatic software updates. This alarming development highlights the growing threat of supply chain attacks and the importance of secure update mechanisms.
The Evasive Panda Group: A Persistent Threat
Evasive Panda, also known by aliases such as StormBamboo, Bronze Highland, Daggerfly, and StormCloud, has been an active threat since at least 2012. The group primarily targets organizations in mainland China, Hong Kong, Macau, Nigeria, and various countries in Southeast and East Asia. Their latest campaign demonstrates a significant evolution in their tactics, techniques, and procedures (TTPs).
Exploiting Insecure Update Mechanisms
The hackers exploited vulnerable update mechanisms in various software applications that relied on unencrypted HTTP connections and lacked proper digital signature verification. This allowed them to deploy malware on both Windows and macOS devices. When applications checked for updates, they inadvertently installed malicious software instead of legitimate updates, including variants known as MACMA and POCOSTICK (also called MGBot).
DNS Poisoning: The Attack Vector
To execute this campaign, Evasive Panda first compromised an unnamed ISP and then launched a DNS poisoning attack. This technique allowed them to intercept and modify DNS requests from victims, redirecting them to malicious IP addresses controlled by the attackers. As a result, malware was delivered directly from the group’s command and control servers without any user interaction.
Specific Attack Example: 5KPlayer YouTube-DL Update
One concrete example of the attack involved the popular media player 5KPlayer. The hackers exploited its requests for youtube-dl updates to deliver a backdoored installer from their controlled server. This demonstrates how even seemingly innocuous update processes can be weaponized by sophisticated threat actors.
Post-Compromise Activities
After successfully compromising target systems, the attackers installed a malicious Google Chrome extension called ReloadText. This extension enabled them to collect and exfiltrate cookies and email data, further expanding their access to sensitive information.
Mitigation and Response
Volexity’s investigation revealed that StormBamboo targeted multiple software vendors using insecure update processes. Upon discovery, the security firm promptly notified the affected ISP and collaborated to examine key traffic routing devices within the provider’s network. The DNS poisoning attack ceased immediately after the provider rebooted and disabled various network components, effectively halting the malware distribution campaign.
This incident serves as a stark reminder of the critical importance of implementing secure update mechanisms, including the use of HTTPS, robust digital signature verification, and regular security audits of network infrastructure. Organizations and software developers must prioritize these security measures to protect their users from sophisticated supply chain attacks. As cyber threats continue to evolve, maintaining vigilance and adopting best practices in cybersecurity remains paramount for safeguarding digital assets and user data.