Hackers delivered malware to Windows and Mac users by compromising their Internet service provider and then tampering with software updates delivered over unsecure connections, researchers said.
The attack, researchers from security firm Volexity said, worked by hacking routers or similar types of device infrastructure of an unnamed ISP. The attackers then used their control of the devices to poison domain name system responses for legitimate hostnames providing updates for at least six different apps written for Windows or macOS. The apps affected were the 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, and those from Corel and Sogou.
These aren’t the update servers you’re looking for
Because the update mechanisms didn’t use TLS or cryptographic signatures to authenticate the connections or downloaded software, the threat actors were able to use their control of the ISP infrastructure to successfully perform machine-in-the-middle (MitM) attacks that directed targeted users to hostile servers rather than the ones operated by the affected software makers. These redirections worked even when users employed non-encrypted public DNS services such as Google’s 8.8.8.8 or Cloudflare’s 1.1.1.1 rather than the authoritative DNS server provided by the ISP.
“That is the fun/scary part—this was not the hack of the ISPs DNS servers,” Volexity CEO Steven Adair wrote in an online interview. “This was a compromise of network infrastructure for Internet traffic. The DNS queries, for example, would go to Google’s DNS servers destined for 8.8.8.8. The traffic was being intercepted to respond to the DNS queries with the IP address of the attacker’s servers.”
In other words, the DNS responses returned by any DNS server would be changed once it reached the infrastructure of the hacked ISP. The only way an end user could have thwarted the attack was to use DNS over HTTPS or DNS over TLS to ensure lookup results haven’t been tampered with or to avoid all use of apps that deliver unsigned updates over unencrypted connections.
Volexity provided the following diagram illustrating the flow of the attack:
As an example, the 5KPlayer app uses an unsecure HTTP connection rather than an encrypted HTTPS one to check if an update is available and, if so, to download a configuration file named Youtube.config. StormBamboo, the name used in the industry to track the hacking group responsible, used DNS poisoning to deliver a malicious version of the Youtube.config file from a malicious server. This file, in turn, downloaded a next-stage payload that was disguised as a PNG image. In fact, it was an executable file that installed malware tracked under the names MACMA for macOS devices or POCOSTICK for Windows devices.
MACMA first came to light in 2021 post published by Google’s Threat Analysis Group, a team that tracks malware and cyberattacks backed by nation-states. The backdoor was written for macOS and iOS devices and provided a full suite of capabilities including device fingerprinting, screen capture, file downloading and uploading, execution of terminal commands, audio recording, and keylogging.
POCOSTICK, meanwhile, has been in use since at least 2014. Last year, security firm ESET said the malware, which it tracked under the name MGBot, was used exclusively by a Chinese-speaking threat group tracked as Evasive Panda.
ESET researchers determined that the malware was installed through legitimate updates of benign software, but they weren’t sure how that happened. One possibility, the researchers said at the time, was through a supply-chain attack that replaced the legitimate updates with malicious ones at the very source. The other possible scenario was through a MitM attack on the servers delivering the updates. Volexity’s findings now confirm that the latter explanation is the correct one.
In at least one case in the most recent attacks, StormBamboo forced a macOS device to install a browser plugin Volexity tracks under the name RELOADEXT. The extension masquerades as one that loads webpages to be compatible with Internet Explorer. In fact, Volexity said, it copies browser cookies and sends them to a Google Drive account controlled by the attackers. The data was base64 encoded and encrypted using the Advanced Encryption Standard. Despite the care taken by the hackers, they nonetheless exposed the client_id, client_secret, and refresh_token in the malicious extension.
One other technique Volexity observed was StormBamboo’s use of DNS poisoning to hijack www.msftconnecttest.com , a domain Microsoft uses to determine if Windows devices are actively connected to the Internet. By replacing the legitimate DNS resolution with an IP address pointing to a malicious site operated by the threat actors, they could intercept HTTP requests destined for any host.
Adair declined to identify the hacked ISP other than to say it’s “not a big huge one or one you’d likely know.”
“In our case the incident is contained but we see other servers that are actively serving malicious updates but we do not know where they are being served from,” he said. “We suspect there are other active attacks around the world we do not have purview into. This could be from an ISP compromise or a localized compromise to an organization such as on their firewall.”
As noted earlier, there are many options for preventing these sorts of attacks beyond (1) eschewing all software that updates unsecurely or (2) using DNS over HTTPS or DNS over TPS. The first method is likely the best, although it likely means having to stop using a preferred app in at least some cases. The alternative DNS configurations are viable, but at the moment are offered by only a handful of DNS providers, with 8.8.8.8 and 1.1.1.1 being the best known.
