TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Volexity

StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms

mindgrub · 2024-08-02 · Read original ↗

ATT&CK techniques detected

40 predictions
T1040Network Sniffing
99%
"[ iplimit ] this section contains a key named “ ip ”. when this is defined, the malware only hijacks requests originating from this ip address. this option only applies to http requests. [ httpconfig ] this section is interesting, as it is the only one with multiple keys. it defi…"
T1040Network Sniffing
99%
"packet monitoring on linux. the device / interface on which the malware intercepts the packets is specified in the configuration. it uses the pcap _ open _ live library function to open the device for capturing packets. it installs a bpf filter on the device, and the filter progr…"
T1195.002Compromise Software Supply Chain
95%
"file and a malicious installer. the aitm workflow is shown below. volexity observed stormbamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware. for example, 5kplayer uses a workflow tha…"
T1176.001Browser Extensions
94%
"once configured, it can be seen in the user ’ s securepreferences file, as shown below. finally, the plugin ( 6abf9a7926415dc00bcb482456cc9467 ) is activated by the installer running the following applescript command : osascript - e tell application “ google chrome ” to activate …"
T1040Network Sniffing
93%
"from this blog, is published to customers via its threat intelligence service. the content of this blog post is a summary of posts published in 2022 – 2024. volexity network security monitoring customers are also automatically covered through signatures and deployed detections fr…"
T1557.001Name Resolution Poisoning and SMB Relay
93%
"volexity notified and worked with the isp, who investigated various key devices providing traffic - routing services on their network. as the isp rebooted and took various components of the network offline, the dns poisoning immediately stopped. during this time, it was not possi…"
T1557Adversary-in-the-Middle
91%
"the interception using various configuration options. both get and post requests can be intercepted by the malware. as previously mentioned, http interception can also be limited to a given ip address using iplimit. http interception works similarly to dns interception. if a requ…"
T1176Software Extensions
90%
"new extension. the installer also correctly fixes the protections. macs and protections. super _ mac values in the newly modified securepreferences. these values are designed to prevent tampering with a user ’ s browser settings, but they can be forged. if they do not contain the…"
T1176.001Browser Extensions
90%
"new extension. the installer also correctly fixes the protections. macs and protections. super _ mac values in the newly modified securepreferences. these values are designed to prevent tampering with a user ’ s browser settings, but they can be forged. if they do not contain the…"
T1557.001Name Resolution Poisoning and SMB Relay
89%
"##ns requests to deploy malware via an http automatic update mechanism and poison responses for legitimate hostnames that were used as second - stage, command - and - control ( c2 ) servers. the dns records were poisoned to resolve to an attacker - controlled server in hong kong …"
T1557.001Name Resolution Poisoning and SMB Relay
89%
"attacker can intercept dns requests and poison them with malicious ip addresses, and then use this technique to abuse automatic update mechanisms that use http rather than https. this method is similar to the attack vector volexity previously observed being used by driftingbamboo…"
T1195.002Compromise Software Supply Chain
89%
"was more sophisticated, abusing insecure automatic update mechanisms present in software in the victim ’ s environment, thus requiring no user interaction. the logic behind the abuse of automatic updates is the same for all the applications : the legitimate application performs a…"
T1105Ingress Tool Transfer
88%
"contents of upgrade youtube. config. if a new version is available, it is downloaded from the specified url and executed by the legitimate application. stormbamboo used dns poisoning to host a modified config file indicating a new update was available. this resulted in the youtub…"
T1176.001Browser Extensions
87%
"##fuscator. io. the purpose of the extension is to exfiltrate browser cookies to a google drive account controlled by the attacker. the attacker ’ s google drive client _ id, client _ secret, and refresh _ token are all contained in the extension. they are encrypted beyond the de…"
T1195.002Compromise Software Supply Chain
86%
"contents of upgrade youtube. config. if a new version is available, it is downloaded from the specified url and executed by the legitimate application. stormbamboo used dns poisoning to host a modified config file indicating a new update was available. this resulted in the youtub…"
T1557.001Name Resolution Poisoning and SMB Relay
86%
"its configuration within itself as an encrypted archive. the malware decrypts the archive and drops it on disk at runtime with the name [ binary _ name ]. tty. this archive is then decompressed in memory, and the copy on disk is deleted. in the example analyzed, the configuration…"
T1539Steal Web Session Cookie
86%
"##fuscator. io. the purpose of the extension is to exfiltrate browser cookies to a google drive account controlled by the attacker. the attacker ’ s google drive client _ id, client _ secret, and refresh _ token are all contained in the extension. they are encrypted beyond the de…"
T1557.001Name Resolution Poisoning and SMB Relay
84%
"network. in the may 2023 cyber session, volexity presented details of a malware family it calls catchdns, dns poisoning malware used by driftingbamboo that was deployed to a network appliance ( in that instance, a sophos xg firewall ). volexity cannot confirm what mechanism was u…"
T1557.001Name Resolution Poisoning and SMB Relay
83%
"stormbamboo key takeaways stormbamboo successfully compromised an internet service provider ( isp ) in order to poison dns responses for target organizations. insecure software update mechanisms were targeted to surreptitiously install malware on victim machines running macos and…"
T1557.001Name Resolution Poisoning and SMB Relay
80%
"##necttest [. ] com domain and responds with ip address 122. 10. 90 [. ] 20 for this domain. in httpconfig, the “ host ” key is absent, meaning the malware would intercept an http request to any host if it satisfied the other conditions. this was only one of several configuration…"
T1557.001Name Resolution Poisoning and SMB Relay
79%
"##df and encoded with base64 prior to exfiltration. conclusion stormbamboo is a highly skilled and aggressive threat actor who compromises third parties ( in this case, an isp ) to breach intended targets. the variety of malware employed in various campaigns by this threat actor …"
T1557Adversary-in-the-Middle
77%
"to the dns domain ( s ) present in the malware ’ s configuration. if there is match, the dns request is hijacked and the malware builds a fake dns response packet. it then sends the packet back to the client, responding with the attacker - controlled ( c2 ) ip address instead of …"
T1176Software Extensions
76%
"once configured, it can be seen in the user ’ s securepreferences file, as shown below. finally, the plugin ( 6abf9a7926415dc00bcb482456cc9467 ) is activated by the installer running the following applescript command : osascript - e tell application “ google chrome ” to activate …"
T1176Software Extensions
75%
"device. volexity tracks this malicious extension under the name reloadext. the extension was installed using a custom binary ( ee28b3137d65d74c0234eea35fa536af ) developed by the attacker. the installer supports the following parameters : parameter description - p / - - plugin pa…"
T1557.001Name Resolution Poisoning and SMB Relay
71%
"and prove the attacker was able to control the target isp ’ s dns infrastructure in order to modify dns responses in the victim organization ’ s network. this blog post explains the infection vector and gives an example of where an automatic update was abused by stormbamboo. note…"
T1557.001Name Resolution Poisoning and SMB Relay
65%
"of catchdns can be found in the appendix. dns poisoning : now with abuse of insecure automatic update mechanisms! in the previously analyzed case where catchdns was used to modify dns responses, the end goal of the attacks was to modify the content of pages users browsed. this re…"
T1040Network Sniffing
62%
"by volexity which volexity attributes to stormbamboo. catchdns is designed to be deployed on systems through which most of the network traffic passes. in the specific case investigated by volexity, this malware was discovered on a perimeter firewall device. however, catchdns coul…"
T1557.001Name Resolution Poisoning and SMB Relay
59%
"listen _ dev ] [ send _ dev ] the listen device and send device sections have a “ dev ” key under them whose value refers to the interface on which the malware intercepts the packets and sends fake packets. [ dnsdomain ] this section contains the “ dns ” key whose value represent…"
T1176Software Extensions
55%
"##fuscator. io. the purpose of the extension is to exfiltrate browser cookies to a google drive account controlled by the attacker. the attacker ’ s google drive client _ id, client _ secret, and refresh _ token are all contained in the extension. they are encrypted beyond the de…"
T1557.001Name Resolution Poisoning and SMB Relay
53%
"attack at the internet service provider ( isp ) level. volexity determined that stormbamboo was altering dns query responses for specific domains tied to automatic software update mechanisms. stormbamboo appeared to target software that used insecure update mechanisms, such as ht…"
T1539Steal Web Session Cookie
50%
"once configured, it can be seen in the user ’ s securepreferences file, as shown below. finally, the plugin ( 6abf9a7926415dc00bcb482456cc9467 ) is activated by the installer running the following applescript command : osascript - e tell application “ google chrome ” to activate …"
T1176.001Browser Extensions
48%
"device. volexity tracks this malicious extension under the name reloadext. the extension was installed using a custom binary ( ee28b3137d65d74c0234eea35fa536af ) developed by the attacker. the installer supports the following parameters : parameter description - p / - - plugin pa…"
T1557Adversary-in-the-Middle
47%
"data. using this knowledge, these structures are applied to the processing functions to reveal the function parsing the dns header and to perform basic sanity checks, as shown below. each dns packet contains queries that appear after the dns header in the packet. the queries cont…"
T1195.002Compromise Software Supply Chain
40%
"upgrade process. the image below shows inserted malicious code, starting at line 164. its purpose is to download the next stage, a png file containing macma ( macos ) or pocostick ( windows ) depending on the operating system. macma was first publicly documented in 2021 by google…"
T1204.002Malicious File
40%
"upgrade process. the image below shows inserted malicious code, starting at line 164. its purpose is to download the next stage, a png file containing macma ( macos ) or pocostick ( windows ) depending on the operating system. macma was first publicly documented in 2021 by google…"
T1557Adversary-in-the-Middle
36%
"of catchdns can be found in the appendix. dns poisoning : now with abuse of insecure automatic update mechanisms! in the previously analyzed case where catchdns was used to modify dns responses, the end goal of the attacks was to modify the content of pages users browsed. this re…"
T1105Ingress Tool Transfer
35%
"file and a malicious installer. the aitm workflow is shown below. volexity observed stormbamboo targeting multiple software vendors, who use insecure update workflows, using varying levels of complexity in their steps for pushing malware. for example, 5kplayer uses a workflow tha…"
T1557.001Name Resolution Poisoning and SMB Relay
35%
"to the dns domain ( s ) present in the malware ’ s configuration. if there is match, the dns request is hijacked and the malware builds a fake dns response packet. it then sends the packet back to the client, responding with the attacker - controlled ( c2 ) ip address instead of …"
T1557.001Name Resolution Poisoning and SMB Relay
34%
"stormbamboo compromises isp to abuse insecure software update mechanisms in mid - 2023, volexity detected and responded to multiple incidents involving systems becoming infected with malware linked to stormbamboo ( aka evasive panda, and previously tracked by volexity under “ sto…"
T1105Ingress Tool Transfer
33%
"was more sophisticated, abusing insecure automatic update mechanisms present in software in the victim ’ s environment, thus requiring no user interaction. the logic behind the abuse of automatic updates is the same for all the applications : the legitimate application performs a…"

Summary

In mid-2023, Volexity detected and responded to multiple incidents involving systems becoming infected with malware linked to StormBamboo (aka Evasive Panda, and previously tracked by Volexity under “StormCloud”). In those […]

The post StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms appeared first on Volexity.