KEY TAKEAWAYS StormBamboo successfully compromised an internet service provider (ISP) in order to poison DNS responses for target organizations. Insecure software update mechanisms were targeted to surreptitiously install malware on victim machines running macOS and Windows. Malware deployed by StormBamboo includes new variants of the MACMA malware. Analysis of the newest versions of MACMA shows converged development of the MACMA and GIMMICK malware families. Post-exploitation activity included deployment of the malicious browser extension RELOADEXT to exfiltrate victim mail data. In mid-2023, Volexity detected and responded to multiple incidents involving systems becoming infected with malware linked to StormBamboo (aka Evasive Panda, and previously tracked by Volexity under “StormCloud”). In those incidents, multiple malware families were found being deployed to macOS and Windows systems across the victim organizations’ networks. The infection vector for this malware was initially difficult to establish but later proved to be the result of a DNS poisoning attack […]
