Today > 5 Critical | 6 High | 28 Medium vulnerabilities   -   You can now download lists of IOCs here!

StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms

Aug. 5, 2024, 11:35 a.m.

Tags
malware
dazzlespy
macma
2024-08-05
reloadext
dns poisoning
osx.cdds
pocostick
insecure updates
External References
Description

Volexity detected and responded to multiple incidents involving systems infected with malware linked to StormBamboo, a threat actor known for compromising internet service providers (ISPs) and leveraging DNS poisoning to redirect software update traffic to attacker-controlled servers hosting malicious payloads. The threat actor abused insecure software update mechanisms that used HTTP, enabling them to surreptitiously install malware including new variants of MACMA and POCOSTICK on victim machines running macOS and Windows. Post-exploitation activities involved deploying a malicious browser extension to exfiltrate victim email data. The incidents highlight StormBamboo's sophisticated tactics and the risks posed by insecure update mechanisms.

Date

Published: Aug. 5, 2024, 11:29 a.m.

Created: Aug. 5, 2024, 11:29 a.m.

Modified: Aug. 5, 2024, 11:35 a.m.

Indicators

103.96.130.107

122.10.90.20

Download all indicators here!

Attack Patterns

RELOADEXT

POCOSTICK

DazzleSpy

OSX.CDDS

MacMa - S1016

StormBamboo

T1558.003

T1553.003

T1557.001

T1194

T1207

T1078.001

T1583.001

T1059.006

T1574.002

T1059.007

T1059.004

T1056.001

T1199

T1071.001

T1195

CVE-2024-3400