StormBamboo Compromises ISP to Abuse Insecure Software Update Mechanisms

Volexity documents a mid-2023 campaign by the StormBamboo threat actor that compromised an ISP’s DNS infrastructure to poison DNS responses and abuse insecure HTTP-based automatic update mechanisms, resulting in deployment of multiple malware families (including MACMA and POCOSTICK), a DNS/HTTP interception tool (CATCHDNS) for network appliances, and a cookie-exfiltrating Chrome extension; the report contains technical analysis, extracted configurations, and IOCs and detection rules for defenders.