A China-linked cyberespionage group known as StormBamboo (also tracked as Evasive Panda, Daggerfly, and Bronze Highland) has compromised an internet service provider (ISP) to manipulate DNS responses and distribute malware through insecure software update mechanisms. This campaign, analyzed by Volexity, targeted organizations across Asia and other regions, deploying MACMA (macOS) and POCOSTICK/MGBot (Windows) malware variants via poisoned update channels.
Key Takeaways for Security Leaders
StormBamboo’s attack chain demonstrates the growing risk of supply-chain compromises through third-party infrastructure. The group hijacked an ISP’s DNS systems to redirect software update requests to attacker-controlled servers, exploiting applications that lacked HTTPS or digital signature validation. Key payloads included MACMA for macOS, POCOSTICK for Windows, and a Chrome extension (RELOADEXT) designed to exfiltrate sensitive data.
Critical mitigation steps include enforcing DNSSEC, mandating HTTPS for update channels, and validating digital signatures for all software installations. Organizations should also monitor DNS anomalies and restrict execution of unsigned binaries.
Technical Breakdown of the Attack
ISP Compromise and DNS Poisoning
StormBamboo gained control of an unnamed ISP’s DNS infrastructure, allowing them to modify responses for domains tied to software updates. The attackers redirected legitimate update requests (e.g., www.msftconnecttest[.]com) to a malicious IP (103.96.130[.]107). This enabled them to serve backdoored installers for applications like 5KPlayer, which fetched malware-laden PNG files during the update process.
Malware Toolset and Capabilities
| Malware | OS | Capabilities |
|---|---|---|
| MACMA | macOS | Keylogging, screen/audio capture, C2 via kNET protocol |
| POCOSTICK (MGBot) | Windows | Modular plugins for credential theft and network scanning |
| RELOADEXT | Chrome | Exfiltrates cookies to Google Drive using AES encryption |
Volexity identified code overlaps between MACMA and the GIMMICK malware family, suggesting shared development resources within the threat actor’s ecosystem.
Detection and Mitigation Strategies
Indicators of Compromise (IOCs)
- IPs:
103.96.130.107(C2),152.32.159.8(MACMA C2) - File Hashes:
ee28b3137d65d74c0234eea35fa536af(RELOADEXT),4958ede3b968ad464c983054479bf4d2(MACMA keylogger)
YARA rules for detecting MACMA payloads are available in Volexity’s GitHub repository.
Recommended Defensive Actions
- Network-Level: Implement DNSSEC and monitor for DNS query anomalies.
- Endpoint-Level: Enforce code-signing requirements and audit browser extensions.
- Vendor Coordination: Advocate for HTTPS adoption in software update mechanisms.
Conclusion
This campaign underscores the critical need to secure software supply chains, particularly for organizations relying on third-party ISPs. StormBamboo’s tactics—combining infrastructure compromise with update mechanism abuse—highlight the escalating sophistication of APT groups. Proactive measures like DNSSEC and HTTPS enforcement are no longer optional but essential for enterprise defense.
