The PlushDaemon threat actor has been identified using a new Go-based network backdoor, called EdgeStepper, to facilitate Adversary in the Middle (AitM) attacks. EdgeStepper has the ability to redirect all DNS queries to an external malicious node, diverting traffic from legitimate software update infrastructure to attacker-controlled infrastructure.
About Threat Actor PlushDaemon
PlushDaemon is a China-aligned threat group, active since at least 2018. It is known for directing attacks against entities in the United States, New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China.
The group was documented by ESET earlier this year for a supply chain attack targeting a South Korean VPN provider (IPany). In that attack, they used a sophisticated implant called SlowStepper to attack a semiconductor company and a software development company in South Korea.
Notable victims include:
- A university in Beijing.
- A Taiwanese electronic products manufacturing company.
- Companies in the automotive sector.
- A branch of a Japanese company in the manufacturing sector.
EdgeStepper and AitM attack mechanism
PlushDaemon’s main initial access mechanism is AitM poisoning. This technique has been adopted by a growing number of China-affiliated advanced persistent threat (APT) groups over the past two years, such as LuoYu, Evasive Panda, BlackTech, TheWizards APT, Blackwood, and FontGoblin.
The attack begins with the compromise of a perimeter network device (such as a router) to which the target will likely connect. This is achieved by exploiting security vulnerabilities in the software or using weak credentials, allowing EdgeStepper to be deployed.
EdgeStepper operation:
- DNS Redirection: EdgeStepper redirects DNS queries to a malicious DNS node.
- Domain verification: The malicious DNS node checks whether the domain in the query is related to software updates.
- Malicious response: If the query is related to an update, the DNS node responds with the IP address of the hijacking node, diverting update traffic from legitimate software. In some cases, the same server acts as both a DNS node and a hijacking node.
The EdgeStepper malware consists of two parts: a “Distributor” module that resolves the IP address of the malicious DNS node and a “Ruler” component that configures IP packet filtering rules using iptables.
SlowStepper infection chain and payload
The EdgeStepper attack is specifically designed to hijack Chinese software update channels, such as Sogou Pinyin. Through this hijacking, a malicious DLL called LittleDaemon (alias “popup_4.2.0.2246.dll”) is delivered from a server controlled by the threat actor.
Multi-stage infection process:
- LittleDaemon: Acts as an initial downloader. If the infected system does not have SlowStepper running, LittleDaemon contacts the attacker node to obtain the second stage downloader, DaemonicLogistics.
- DaemonicLogistics: Its sole purpose is to download the SlowStepper backdoor from the server and run it.
- SlowStepper: This is the main and most sophisticated implant. SlowStepper offers extensive functionality, including:
- System information collection.
- File exfiltration.
- Extraction of browser credentials.
- Data extraction from various messaging applications.
- Self-uninstall capability.
Conclusions
EdgeStepper represents an evolution in PlushDaemon’s tactics, leveraging DNS hijacking to compromise the software update supply chain. This technique allows the group to infiltrate networks and deploy their SlowStepper implant. The sophistication of SlowStepper, combined with the increasing use of AitM attacks by Chinese APTs, underscores the need to strengthen the security of edge devices and monitor DNS traffic for anomalies.
References
- Principal researcher: Facundo Muñoz (ESET)
- Associated implants: SlowStepper, LittleDaemon, DaemonicLogistics
- AitM related APTs: LuoYu, Evasive Panda, BlackTech, TheWizards APT, Blackwood, FontGoblin.