China-linked threat actor Evasive Panda, known as Bronze Highland, Daggerfly, and StormBamboo, has compromised an unnamed internet service provider (ISP) to push out malicious software updates to companies using its services. The malware targets both Windows and macOS machines and is delivered by poisoning the DNS responses for targeted companies.
The breach was discovered by researchers at Volexity in mid-2023. Volexity detected and responded to multiple incidents involving systems infected with malware linked to the group. Multiple malware families were deployed across the victims’ networks to macOS and Windows systems. The initial infection was “initially difficult to establish,” but eventually turned out to be the result of a DNS poisoning attack at the ISP level, explained in their breakdown report.
Researchers found that the threat actors were changing DNS query responses for specific domains tied to automatic software update mechanisms. The software being targeted did not use secure update mechanisms, including HTTP instead of HTTPS, and did not properly validate the digital signatures of installers requesting the update. Hence, instead of installing the update, these installers were downloading and running malware, including MACMA and MGBot. In the past, the group used both these malware families to target macOS and Windows systems, respectively.
Volexity researchers also contacted and worked with the ISP to determine the root cause, which led to investigating different key devices, such as routers and switches, rerouting traffic on its network. While the breach couldn’t be narrowed down to a single device, as different pieces of network infrastructure were being taken down for the investigation, the DNS poisoning immediately stopped.
Once the malware has been deployed, the attacker has several options. One instance recorded by Volexity researchers details the installation of a malicious Chrome extension on a macOS device by manipulating a secure preferences file. The tool pretends to load a page in compatibility mode with Internet Explorer but extracts browser data, including cookies, to a Google Drive account controlled by the attacker instead.
In the News: Novel LianSpy spyware targets Android users in Russia