Malware spread through updates: how to protect your PC
When some software on your computer signals the need to update, you typically just hit the OK button and don’t think twice about it, right? Same as millions of other users all over the world. In most cases, everything goes smoothly; with your permission, the program downloads a package and installs it, sometimes requesting a reboot thereafter. Recently, however, there was spotted a pattern of attack that makes this approach to software updates a malicious practice.
On August 2, 2024, Volexity, a cybersecurity company, published a blog post reporting how StormBamboo, a hacker group presumably also known as StormCloud, Evasive Panda, and Daggerfly, compromised an unnamed internet service provider (ISP) and implemented a “machine-in-the-middle” setup. This pattern, as its name suggests, involves putting the wrongdoer’s hardware into the path of traffic with the aim of returning some malicious code to the computers of users who remain oblivious to what is really happening because everything looks and feels normal to them.
What is DNS poisoning?
In this particular case, we are dealing with DNS poisoning. As you know, DNS (stands for Domain Name System) is the backbone mechanism that resolves site names into numerical addresses of servers where the content of those sites is taken from. StormBamboo managed to replace those addresses and drive a portion of the traffic going through the compromised ISP to their server. There, users received malware under the guise of updates of some programs, including 5KPlayer, Quick Heal, Rainmeter, Partition Wizard, plus some software from Corel and Sogou.
What was the malware involved?
According to Volexity, the malicious code distributed in the context of this campaign were MACMA for macOS/iOS devices and POCOSTICK for hardware running under Windows.
MACMA, first reported in 2021 by Google’s Threat Analysis Group, is a backdoor that, once deployed, gives its operator a wide range of capabilities in the infected system, from fingerprinting through screen capture to file management and execution of commands in the terminal, plus the expected keylogging and, if the device has a mic, audio recording.
POCOSTICK, a piece of malware for Windows systems, was spotted for the first time in 2014 by ESET as MgBot, a backdoor framework believed to be the signature product of StormBamboo. It gives the deploying party pretty much the same array of tools as MACMA, so the threat is more than real.
Protect your computer from malware in software updates with Software Informer
Phishing may be the most heard-of way of virus distribution, but, essentially, it all boils down to downloading and executing (opening) a file on your computer. Software updates are so common that we don’t really pay much attention thereto, which makes them perfect carriers of malicious code.
Antivirus software protects you from most threats, but updates can sneak under the radar. Install Software Informer to fully shield your computer from malware distributed through compromised update routines:
- all new versions of programs that you receive through our updater are pre-scanned for viruses,
- all links to software products you see in the app are checked through the Google Safe Browsing service.
We could say that making software updates safe is a selling point for the Informer application, but we don’t sell this program, it’s free! Join 5+ million users who already feel safe with Informer.
