TLDR:
- China-linked threat actor Evasive Panda compromised an ISP to push malicious software updates to target companies.
- The attack involved DNS poisoning to deploy malware through insecure update mechanisms.
China-linked threat actor known as Evasive Panda compromised an unnamed internet service provider (ISP) to push malicious software updates to target companies in mid-2023. Evasive Panda, also known as Bronze Highland, Daggerfly, and StormBamboo, is a cyber espionage group that has been active since at least 2012. The threat actor used backdoors such as MgBot and Nightdoor to harvest sensitive information. Recent reports have linked Evasive Panda to the use of a macOS malware strain called MACMA.
According to a report by Volexity, Evasive Panda compromised the ISP to breach intended targets, altering DNS query responses for specific domains tied to automatic software update mechanisms. The threat actor exploited insecure update mechanisms, such as HTTP, to deliver malware like MgBot and MACMA. Volexity informed the ISP about the DNS poisoning attack and worked to remediate it.
The attack also involved the deployment of a Google Chrome extension on macOS devices to exfiltrate browser cookies. The malware was delivered through insecure update mechanisms, with the objective of stealing sensitive information from victims. Overall, this attack showcases a new level of sophistication associated with Evasive Panda, highlighting the importance of secure update mechanisms and DNS security.