Chinese hackers hijacked an ISP software update to spread malware

The organizations’ applications would then search for updates, but instead of retrieving the update from the official site, they would instead download malware.

MACMA and POCOSTICK attacks

The StormBamboo campaign was first detected by Volexity in mid-2023, however it took some time for the attack vector to be identified, but mirrors a similar infection vector as a previous campaign attributed to DriftingBamboo.

In one incident, Volexity suspected the DNS poisoning was occuring at the target infrastructure level, but subsequent investigation revealed that the poisoning was occuring at the ISP level. Once the ISP was notified, they methodically rebooted systems and took components of the network offline, which caused the DNS poisoning to stop.

In order to push their malware onto target systems, StormBamboo would use the poisoned DNS to redirect HTTP requests to a command-and-control (C2) server that would supply a forged text file and malware installer instead of the legitimate software update. The forged text file replaces the legitimate text-based file that would typically contain the latest application version and an installer link requested via HTTP. The malware pushed by StormBamboo included MACMA and POCOSTICK.

StormBamboo used varying methods of this attack vector to target software vendors using insecure update workflows. HTTPS uses encryption and digital signatures to verify the authenticity of requests, making it far more secure than HTTP. Volexity provided guidance on defending against this particular attack vector, including a link to a set of rules used for detecting malicious activity, and and IOC block list.

More from TechRadar Pro

• These are the best firewalls around today to keep you safe
• Python Q&A site StackExchange hijacked to spread malware disguised as answers
• Take a look at the best endpoint protection tools