Full Report
KEY TAKEAWAYS StormBamboo successfully compromised an internet service provider (ISP) in order to poison DNS responses for target organizations. Insecure software update mechanisms were targeted to surreptitiously install malware on victim machines running macOS and Windows. Malware deployed by StormBamboo includes new variants of the MACMA malware. Analysis of the newest versions of MACMA shows converged development of the MACMA and GIMMICK malware families. Post-exploitation activity included deployment of the malicious browser extension RELOADEXT to exfiltrate victim mail data. In mid-2023, Volexity detected and responded to multiple incidents involving systems becoming infected with malware linked to StormBamboo (aka Evasive Panda, and previously tracked by Volexity under “StormCloud”). In those incidents, multiple malware families were found being deployed to macOS and Windows systems across the victim organizations’ networks. The infection vector for this malware was initially difficult to establish but later proved to be the result of a DNS poisoning attack […] The post StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms appeared first on Volexity.
Analysis Summary
# Threat Actor: StormBamboo
## Attribution & Identity
**Threat Actor:** StormBamboo
**Aliases:** Evasive Panda, StormCloud (previous Volexity tracking name)
**Associations:** Workflow similar to DriftingBamboo suggests a possible relationship.
## Activity Summary
StormBamboo was detected compromising an Internet Service Provider (ISP) in mid-2023 to poison DNS responses targeted at specific organizations. This allowed the actor to hijack software update mechanisms, specifically targeting insecure updates over HTTP that lacked adequate digital signature validation, to surreptitiously install malware on both macOS and Windows systems. The activity ceased after the compromised ISP took network components offline for investigation and updates.
## Tactics, Techniques & Procedures
- **Initial Access/Delivery:** Compromising an ISP's DNS infrastructure to perform DNS poisoning, redirecting victim update traffic.
- **Supply Chain Compromise (Software Updates):** Abusing insecure (HTTP-based, lacking signature validation) automatic software update mechanisms to deliver malware instead of legitimate updates.
- **Post-Compromise:** Deploying various malware families, including new variants of MACMA. Analysis shows converged development between MACMA and GIMMICK families.
- **Data Exfiltration:** Deploying the malicious browser extension RELOADEXT to exfiltrate victim mail data.
- **DNS Manipulation (Similar to CATCHDNS behavior):** Modifying DNS responses to resolve legitimate hostnames (used as second-stage C2 servers) to attacker-controlled IPs.
- **HTTP Interception:** Using compromised components to intercept and send mock HTTP responses for specific GET/POST requests based on configurable criteria (URL, Host, User-Agent, etc.).
## Targeting
- **Sectors:** Internet Service Providers (ISP) were compromised as a means to target downstream customers. Victim organizations' networks were infected.
- **Geography:** One identified C2 IP involved Hong Kong (`103.96.130[.]107`). The ISP compromised was not explicitly named but was likely located where the DNS poisoning occurred.
- **Victims:** Multiple unidentified organizations across whose networks macOS and Windows systems were infected.
## Tools & Infrastructure
- **Malware Families Used:**
- MACMA (New variants analyzed, showing converged development with GIMMICK)
- POCOSTICK (Also tracked as MGBot)
- RELOADEXT (Malicious browser extension for mail data exfiltration)
- CATCHDNS (Suspected or related DNS poisoning malware used by DriftingBamboo, potentially adapted for ISP environment control).
- **Infrastructure:**
- C2 Server IP: `103.96.130[.]107` (Hong Kong)
- Hijacked DNS targets resolved to attacker IPs.
- Components involved in the ISP network were compromised to perform the poisoning.
## Implications
StormBamboo demonstrates a highly sophisticated, multi-stage attack methodology leveraging supply chain risk by compromising upstream infrastructure (an ISP) to conduct precise, targeted software update manipulation. This level of access allows them to bypass traditional perimeter defenses and directly compromise endpoints by feeding them malicious software disguised as legitimate updates. The convergence of malware families suggests continuous, organized development efforts.
## Mitigations
- **Software Update Validation:** Ensure all software update mechanisms strictly enforce digital signature validation and use secure protocols (HTTPS) to prevent interception and manipulation of update files.
- **Network Segmentation & Monitoring:** Implement rigorous monitoring of DNS resolution changes and outbound traffic, particularly for connections originating from automatic update services.
- **DNS Security:** Utilize DNS security logging and anomaly detection to identify potential DNS poisoning attempts within the network or upstream dependencies.
- **Browser Security:** Ensure browser extensions are rigorously vetted, as RELOADEXT was used to target mail data exfiltration.