Tag Archives: MACMA

Malware delivery via automatic software updates

Malware delivery via automatic software updates. An interesting case was published by Volexity experts. Let’s say you have some software on the host. It periodically goes online to check for updates and then installs them… And instead of updating, malware is installed. 😱👾

And this is NOT a case of a compromised software vendor website. 🙂

To achieve this result, the StormBamboo bad guys carried out a DNS poisoning attack at the Internet service provider (ISP) level. The attackers changed the responses to DNS queries for certain domains. Accordingly, the “update” was downloaded from the IP addresses of the villains. 😈

Naturally, for this trick to work, the software must use insecure update mechanisms: connect via HTTP, do not check installer digital signatures, etc. 🤷‍♂️ Volexity mentions an attack via 5KPlayer media player updates. The victims were infected with MACMA and POCOSTICK / MGBot malware.

На русском

This is my personal blog. The opinions expressed here are my own and not of my employer. All product names, logos, and brands are property of their respective owners. All company, product and service names used here for identification purposes only. Use of these names, logos, and brands does not imply endorsement. You can freely use materials of this site, but it would be nice if you place a link on https://avleonov.com and send message about it at me@avleonov.com or contact me any other way.

Alexander V. Leonov

Vulnerability Management and more

Tag Archives: MACMA

Malware delivery via automatic software updates