Malware
Image: Bit Cloud via Unsplash

China-based Evasive Panda hackers compromised an ISP to spread malware, report says

A China-based cyber-espionage group compromised an internet service provider (ISP) to spread malware in 2023, researchers said Friday, confirming a hunch expressed in an earlier report about the same operation.

Analysts at Volexity said the hacking operation — known as Evasive Panda, Bronze Highland, Daggerfly and StormBamboo — was indeed undertaking “adversary in the middle” attacks in 2023 as it infected Mac and Windows systems. In such incidents, threat actors get between a device and an otherwise trusted server to deliver malicious code.

Researchers at a different company, ESET, had attributed at least one malware infection to Evasive Panda in 2023 but could only speculate that it was an adversary-in-the-middle attack.

Volexity said its analysis showed that Evasive Panda had compromised the target’s ISP and was poisoning DNS requests — the basic communications that help devices reach internet addresses. 

“Volexity notified and worked with the ISP, who investigated various key devices providing traffic-routing services on their network,” Volexity said. “As the ISP rebooted and took various components of the network offline, the DNS poisoning immediately stopped.”

The attackers had used the disruption to serve up information-stealing malware known as MgBot or Pocostick (for Windows machines) and Macma (for MacOS devices). MgBot, in particular, has been a tool for Evasive Panda for more than a decade. ESET found MgBot used against China’s Tibetan population earlier this year.

Volexity said that in the 2023 incidents it analyzed, certain apps would request updates but the users’ devices would get MgBot and Macma instead. 

“StormBamboo appeared to target software that used insecure update mechanisms, such as HTTP, and did not properly validate digital signatures of installers,” Volexity said. 

Evasive Panda remains “a highly skilled and aggressive threat actor,” the researchers said, with a wide variety of malware at hand and “significant effort” invested in operations.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
Tags
No previous article
No new articles
Joe Warminsky

Joe Warminsky

is the news editor for Recorded Future News. He has more than 25 years experience as an editor and writer in the Washington, D.C., area. Most recently he helped lead CyberScoop for more than five years. Prior to that, he was a digital editor at WAMU 88.5, the NPR affiliate in Washington, and he spent more than a decade editing coverage of Congress for CQ Roll Call.