The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks.
EdgeStepper “redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure,” ESET security researcher Facundo Muñoz said in a report shared with The Hacker News.
Known to be active since at least 2018, PlushDaemon is assessed to be a China-aligned group that has attacked entities in the U.S., New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China.
It was first documented by the Slovak cybersecurity company earlier this January, detailing a supply chain attack aimed at a South Korean virtual private network (VPN) provider named IPany to target a semiconductor company and an unidentified software development company in South Korea with a feature-rich implant dubbed SlowStepper.
Among the adversary’s victims include a university in Beijing, a Taiwanese company that manufactures electronics, a company in the automotive sector, and a branch of a Japanese company in the manufacturing sector. Earlier this month, ESET also said it observed PlushDaemon targeting two entities in Cambodia this year, a company in the automotive sector and a branch of a Japanese company in the manufacturing sector, with SlowStepper.
The primary initial access mechanism for the threat actor is to leverage AitM poisoning, a technique that has been embraced by an “ever increasing” number of China-affiliated advanced persistent threat (APT) clusters in the last two years, such as LuoYu, Evasive Panda, BlackTech, TheWizards APT, Blackwood, and FontGoblin. ESET said it’s tracking ten active China-aligned groups that have hijacked software update mechanisms for initial access and lateral movement.
The attack essentially commences with the threat actor compromising an edge network device (e.g., a router) that its target is likely to connect to. This is accomplished by either exploiting a security flaw in the software or through weak credentials, allowing them to deploy caEdgeStepper.
“Then, EdgeStepper begins redirecting DNS queries to a malicious DNS node that verifies whether the domain in the DNS query message is related to software updates, and if so, it replies with the IP address of the hijacking node,” Muñoz explained. “Alternatively, we have also observed that some servers are both the DNS node and the hijacking node; in those cases, the DNS node replies to DNS queries with its own IP address.”
Internally, the malware consists of two moving parts: a Distributor module that resolves the IP address associated with the DNS node domain (“test.dsc.wcsset[.]com”) and invokes the Ruler component responsible for configuring IP packet filter rules using iptables.
The attack specifically checks for several Chinese software, including Sogou Pinyin, to have their update channels hijacked by means of EdgeStepper to deliver a malicious DLL (“popup_4.2.0.2246.dll” aka LittleDaemon) from a threat actor-controlled server. A first-stage deployed through hijacked updates, LittleDaemon is designed to communicate with the attacker node to fetch a downloader referred to as DaemonicLogistics if SlowStepper is not running on the infected system.
The main purpose of DaemonicLogistics is to download the SlowStepper backdoor from the server and execute it. SlowStepper supports an extensive set of features to gather system information, files, browser credentials, extract data from a number of messaging apps, and even uninstall itself.
“These implants give PlushDaemon the capability to compromise targets anywhere in the world,” Muñoz said.