![Image Main](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_QAbLE6rUwiLIHnt2xval2w7cg3VB-94hKkWt6Pc291brRjILvg27ShpxRsaen-M4-Pjo RtNuX90UVNMzxSpXyjpbHa6atdkHWTl0nOT_4DgOngVu60l1UZooqB-8kfW8nEKnIjHB4i _mi7UJNgBdnRm9dz106OZkyZtMhDFRyBUCKecmpydtzf8RxvCb/s2600/eset-main.jpg)

The threat group known as PlushDaemon has been detected using a new Go-based network backdoor, called EdgeStepper, to facilitate Adversary in the Middle (AitM) attacks and hijack software update mechanisms.

EdgeStepper, a previously undocumented implant, has been designed to reroute victims’ DNS queries to attacker-controlled infrastructure. This backdoor allows PlushDaemon to redirect legitimate software update traffic to malicious nodes, facilitating the delivery of second-stage payloads.

The Threat Actor PlushDaemon and His Objectives

PlushDaemon is a China-aligned advanced persistent threat (APT) group, active since at least 2018. It has targeted entities in various regions, including the US, New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China.

The group had already been documented by ESET earlier this year, revealing a supply chain attack targeting a South Korean VPN provider (IPany) to attack a semiconductor company and a software development company. In that attack, PlushDaemon used a feature-rich implant called SlowStepper.

Victims recently documented by ESET include:

  • A university in Beijing. *A Taiwanese electronics manufacturing company.
  • A company in the automotive sector.
  • A branch of a Japanese company in the manufacturing sector.

AitM Attack Mechanism with EdgeStepper

PlushDaemon’s main initial access mechanism is AitM poisoning. This technique has been adopted by a growing number of China-affiliated APT groups over the past two years (such as LuoYu, Evasive Panda, BlackTech and others), who use it to hijack software update mechanisms.

Phases of the attack with EdgeStepper:

  1. Network Device Compromise: The attack begins with the intrusion into a perimeter network device (router) of the victim. This is achieved by exploiting security vulnerabilities in the device software or using weak credentials.
  2. EdgeStepper Deployment: Once the device is compromised, EdgeStepper is installed.
  3. DNS Redirection: EdgeStepper redirects all DNS queries to a malicious DNS node.
  4. Domain Verification: The malicious DNS node checks if the domain in the query is related to software updates.
  5. Traffic Hijacking: If the query is about a software update, the DNS node responds with the IP address of a hijacking node. This redirects the victim’s software update traffic to the attacker-controlled infrastructure.

Internally, EdgeStepper consists of two main components: a Distributor module that resolves the IP address of the malicious DNS node, and a Ruler component that configures IP packet filtering rules (using iptables) to implement redirection.

The Multi-Stage Chain of Infection

The ultimate goal of this AitM maneuver is to deliver malicious payloads to victims. Attackers specifically seek to hijack software update channels, such as that of Chinese Sogou Pinyin software.

Sequence of infection:

  1. EdgeStepper: Performs DNS redirection on the edge device.
  2. LittleDaemon Delivery: Via the hijacked software update, a malicious DLL named LittleDaemon (popup_4.2.0.2246.dll) is delivered.
  3. DaemonicLogistics Download: If SlowStepper is not already present on the system, LittleDaemon communicates with the attacker node to obtain DaemonicLogistics, a download component.
  4. SlowStepper Deployment: DaemonicLogistics downloads and executes the SlowStepper backdoor from the attackers’ server.

SlowStepper is an implant with advanced information theft capabilities, including harvesting system data, files, browser credentials, and messaging application data. It also has the ability to self-uninstall to evade detection.

Conclusion

The adoption of the AitM technique using EdgeStepper demonstrates the increasing sophistication of PlushDaemon. By compromising perimeter network devices and hijacking software updates, the group can bypass traditional network defenses and establish a persistent backdoor. PlushDaemon’s ability to compromise targets on a global level underscores the importance of securing network devices, strictly managing credentials, and monitoring network traffic for anomalies.

References

  • Threat: PlushDaemon (China-aligned APT)
  • Main Malware: EdgeStepper (Go-based network backdoor)
  • Secondary Malware: SlowStepper (feature-rich implant), LittleDaemon (first stage DLL), DaemonicLogistics (downloader)
  • ESET researcher: Facundo Muñoz
  • Attack Technique: Adversary-in-the-Middle (AitM), DNS poisoning
  • Related APT groups: LuoYu, Evasive Panda, BlackTech, TheWizards APT, Blackwood, FontGoblin