Volexity researchers reported that a China-linked APT group, tracked as StormBamboo (aka Evasive Panda<\/a>, Daggerfly<\/a>, and StormCloud), successfully compromised an undisclosed internet service provider (ISP) in order to poison DNS responses for target organizations.<\/p>\n\n\n\n
In mid-2023, Volexity discovered multiple malware infections affecting macOS and Windows systems within victim organizations. The company linked the attacks to StormBamboo APT group. Upon investigating the incidents, the researchers determined that a DNS poisoning attack at the ISP level caused the infection. The attackers altered DNS responses for domains related to software updates to deploy multiple malware families, including MACMA<\/a> and POCOSTICK<\/a> (MGBot). The attacker’s methods resemble those of DriftingBamboo, suggesting a possible connection between the two threat actors.
The Macma macOS backdoor was first detailed by Google in 2021<\/a> and has been used since at least 2019. At the time of discovery, threat actors employed the malware in watering hole attacks involving compromised websites in Hong Kong. The watering hole attacks used exploits for iOS and macOS devices. Attackers exploited the privilege escalation vulnerability CVE-2021-30869<\/a> to install Macma on macOS devices.<\/p>\n\n\n\n
“During one incident investigated by Volexity, it was discovered that StormBamboo poisoned DNS requests to deploy malware via an HTTP automatic update mechanism and poison responses for legitimate hostnames that were used as second-stage, command-and-control (C2) servers.” reads the report<\/a> published by Volexity. “The DNS records were poisoned to resolve to an attacker-controlled server in Hong Kong at IP address\u00a0103.96.130[.]107<\/code>. Initially, Volexity suspected the initial victim organization\u2019s firewall may have been compromised. However, further investigation revealed the DNS poisoning was not performed within the target infrastructure, but further upstream at the ISP level.”<\/em><\/p>\n\n\n\n