Malware-laced automated software updates have been deployed by Chinese cyberespionage operation StormBamboo, also known as Daggerfly, Evasive Panda, and Storm Cloud, following the compromise of an unnamed internet service provider, according to BleepingComputer.
After conducting a DNS poisoning attack against the ISP, StormBamboo leveraged vulnerable HTTP software update mechanisms without digital signature validation to facilitate the installation of MACMA and MgBot malware to Windows and macOS systems, a report from Volexity revealed. Attacks also involved the distribution of a backdoored installer through a youtube-dl dependency update from 5KPlayer requests, as well as the installation of the browser cookie and mail data exfiltrating Google Chrome extension, dubbed "ReloadText."
"Volexity observed StormBamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware," said researchers, who added that the DNS poisoning had already been averted by the vendor once the ISP conducted a reboot after being informed about the intrusion.