China-based Evasive Panda hackers compromised an ISP to spread malware, report says
2024-8-3 03:16:20 Author: therecord.media(查看原文) 阅读量:7 收藏

A China-based cyber-espionage group compromised an internet service provider (ISP) to spread malware in 2023, researchers said Friday, confirming a hunch expressed in an earlier report about the same operation.

Analysts at Volexity said the hacking operation — known as Evasive Panda, Bronze Highland, Daggerfly and StormBamboo — was indeed undertaking “adversary in the middle” attacks in 2023 as it infected Mac and Windows systems. In such incidents, threat actors get between a device and an otherwise trusted server to deliver malicious code.

Researchers at a different company, ESET, had attributed at least one malware infection to Evasive Panda in 2023 but could only speculate that it was an adversary-in-the-middle attack.

Volexity said its analysis showed that Evasive Panda had compromised the target’s ISP and was poisoning DNS requests — the basic communications that help devices reach internet addresses. 

“Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network,” Volexity said. “As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped.”

The attackers had used the disruption to serve up information-stealing malware known as MgBot or Pocostick (for Windows machines) and Macma (for MacOS devices). MgBot, in particular, has been a tool for Evasive Panda for more than a decade. ESET found MgBot used against China’s Tibetan population earlier this year.

Volexity said that in the 2023 incidents it analyzed, certain apps would request updates but the users’ devices would get MgBot and Macma instead. 

“StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers,” Volexity said. 

Evasive Panda remains “a highly skilled and aggressive threat actor,” the researchers said, with a wide variety of malware at hand and “significant effort” invested in operations.

Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.


文章来源: https://therecord.media/china-based-hackers-evasive-isps-malware
如有侵权请联系:admin#unsafe.sh