StormBamboo compromised an ISP to poison DNS responses and redirect update requests to attacker‑controlled servers, enabling malware installation on macOS and Windows via insecure software update mechanisms. The operation included MACMA and POCOSTICK (MGBot) with post‑exploitation activity via a malicious Chrome extension named RELOADEXT for data exfiltration. #StormBamboo #MACMA #POCOSTICK #MGBot #RELOADEXT #DNSPoisoning #InsecureSoftwareUpdate
Keypoints
- StormBamboo targeted an internet service provider (ISP) to poison DNS responses for update-related domains.
- Insecure software update mechanisms were exploited to install malware on macOS and Windows systems.
- New MACMA variants were deployed alongside POCOSTICK (MGBot), with convergence toward related malware families.
- Post‑exploitation activity included deploying RELOADEXT, a malicious Chrome extension, to exfiltrate data.
- The DNS poisoning technique redirected legitimate update requests to attacker‑controlled C2 servers.
- Volexity notes similarities between StormBamboo’s approach and DriftingBamboo patterns from prior incidents.
- Detection guidance includes using provided rules and blocking the associated IOCs.
MITRE Techniques
- [T1071.004] DNS – DNS-based redirection to attacker‑controlled servers used to intercept update requests and point to malicious installers. ‘StormBamboo used DNS poisoning to redirect legitimate domains to malicious servers.’
- [T1203] Exploitation for Client Execution – Exploited insecure software update mechanisms to install malware. ‘Exploited insecure software update mechanisms to install malware.’
- [T1555.003] Credentials from Web Browsers – Exfiltrated browser cookies and other sensitive data using the RELOADEXT extension. ‘Exfiltrated browser cookies and other sensitive data using the RELOADEXT extension.’
- [T1567.002] Exfiltration to Cloud Storage – Data exfiltrated to Google Drive controlled by the attacker, with encrypted payloads. ‘The attacker’s Google Drive client_id, client_secret, and refresh_token are all contained in the extension… encrypted beyond the default encryption… using AES with the key chrome extension.’
Indicators of Compromise
- [IP] 103.96.130.107 – DNS responses poisoned to resolve to attacker IP in Hong Kong.
- [IP] 122.10.90.20 – Example attacker‑controlled IP used in DNS hijacking scenarios.
- [Domain] www.msftconnecttest[.]com – Domain hijacked in a shown configuration to redirect to C2.
- [Domain] 5kplayer.com – Domain involved in a workflow where update checks trigger malicious downloads.
- [File] Youtube.config – Configuration file contents used to trigger and configure the malicious update flow.
- [File] YouTubeDL.py – Script updated by the attacker to download MACMA/POCOSTICK payloads.