Unveiling the Cyberattack: A Sophisticated Breach by Evasive Panda
Recent investigations have unveiled a sophisticated cyberattack attributed to a China-linked advanced persistent threat (APT) group, which has successfully compromised an Internet service provider (ISP) to exploit software vendor update mechanisms. This breach was executed through a method known as DNS poisoning, enabling the attackers to deliver new variants of the Macma backdoor alongside post-exploitation malware aimed at exfiltrating sensitive data from affected networks.
Researchers at Volexity identified the attack orchestrated by Evasive Panda, also referred to as StormBamboo or DaggerFly. Their findings emerged in mid-2023 when they detected multiple systems infected with malware. The investigation revealed that this highly active Chinese APT was manipulating DNS query responses for specific domains associated with automatic software update channels.
According to Volexity’s researchers—Ankur Saini, Paul Rascagneres, Steven Adair, and Thomas Lancaster—the group specifically targeted software that relied on insecure update mechanisms, such as HTTP, which lacked proper validation of digital signatures for installers. Consequently, when these applications sought to retrieve updates, they inadvertently installed malware, including variants like Macma and Pocostick (also known as MGBot).
Macma, a backdoor frequently employed by Evasive Panda, was first documented by Google TAG in 2021, although it had been in use for several years prior to its discovery. The latest variant indicates a convergence in the development of both Macma and Gimmick MacOS malware. Additionally, the researchers noted the deployment of a malicious browser extension, Reloadext, designed to exfiltrate victim email data.
Poisoning DNS Requests
Volexity detailed one of several incidents where Evasive Panda utilized DNS poisoning to deliver malware through an HTTP automatic update mechanism. The attack involved poisoning responses for legitimate hostnames, which were subsequently used as second-stage command-and-control (C2) servers.
DNS poisoning is a form of DNS abuse where attackers manipulate DNS records to reroute network communications to a server under their control, allowing them to steal and manipulate information transmitted to users. In this instance, the APT redirected DNS records to an attacker-controlled server located in Hong Kong, specifically at IP address 103.96.130.107, within the ISP’s infrastructure.
The rationale behind exploiting automatic updates is consistent across the targeted applications. Legitimate software performs an HTTP request to retrieve a text-based file containing the latest application version and a link to the installer. By controlling the DNS responses for any given DNS name, attackers can redirect the HTTP request to a C2 server hosting a forged text file and a malicious installer.
In these attacks, the APT focused on multiple software vendors with “insecure update workflows,” employing varying levels of complexity in their methods to push malware. For instance, one vendor, 5Kplayer, utilizes a workflow that automatically checks for new versions of YoutubeDL each time the application is launched. When a new version is detected, the process downloads it from a specified URL, followed by the legitimate app executing it. Evasive Panda exploited this by using DNS poisoning to host a modified config file indicating an available update, leading the YoutubeDL software to download a backdoored upgrade package from the APT’s server.
Beware: “Highly Skilled” APT at Work
In response to the attacks, Volexity collaborated with the ISP affected by the DNS poisoning. The ISP undertook an investigation and took various network components offline, effectively halting the malicious activity. While it was challenging to identify a specific compromised device, updates to various infrastructure components led to the cessation of the attack.
