In mid-2023, a security report from Volexity unveiled a significant cyber espionage campaign orchestrated by the Chinese hacking group known as StormBamboo, or Evasive Panda. This group managed to compromise an Internet Service Provider (ISP) in mainland China, embedding malicious updates to the widely used Tencent QQ application. The nefarious operation involved a DNS spoofing attack at the ISP level, allowing StormBamboo to hijack the automatic update mechanism of the application.
Through this sophisticated method, the malware known as MgBot was disseminated to an international non-governmental organization (NGO) operating in China. StormBamboo modified DNS records to redirect legitimate application update requests to their own server in Hong Kong, effectively turning targeted clients into unwitting participants in their cyber campaign. As a result, compromised hosts were used as command-and-control servers to sustain further operations and data exfiltration.
The attack utilized vulnerable update mechanisms, enabling the group to install malware such as MgBot on Windows systems and MACMA on macOS systems without requiring user interaction. A notable incident involved a rogue Google Chrome extension being introduced into a macOS environment. This extension manipulated the Secure Preferences file and was designed to steal browser cookies, sending sensitive data to an attacker-controlled Google Drive account.
Volexity’s prompt notification to the affected ISP led to an immediate investigation. Following the reboot of key infrastructure devices, the attack ceased, highlighting the importance of vigilant cybersecurity defenses against sophisticated interference tactics.
Evasive Panda’s history in cyber espionage dates back to 2012, with a pedigree of employing various backdoors including MgBot and Nightdoor for stealing sensitive information. The group is now also associated with the macOS malware, MACMA, observed in the cyber landscape since 2021, underlining the need for ongoing scrutiny and defensive measures against such evolving threats.