Chinese PlushDaemon Hackers use EdgeStepper Tool to Hijack Legitimate Updates and Redirect to Malicious Servers

A China-aligned threat group known as PlushDaemon has been weaponizing a sophisticated attack method to infiltrate networks across multiple regions since 2018.

The group’s primary strategy involves intercepting legitimate software updates by deploying a specialized tool called EdgeStepper, which acts as a bridge between users’ computers and malicious servers.

This technique allows hackers to inject malware directly into what users believe are authentic update installations from trusted software vendors.

PlushDaemon’s campaign has targeted individuals and organizations in the United States, Taiwan, China, Hong Kong, New Zealand, and Cambodia.

The group employs multiple attack vectors, including exploitation of software vulnerabilities, weak network device credentials, and sophisticated supply-chain compromises.

During a 2023 investigation, researchers uncovered the group’s involvement in a major supply-chain attack affecting a South Korean VPN service, demonstrating their capability to operate at scale.

ESET security analysts identified and examined the EdgeStepper malware after discovering an ELF binary file on VirusTotal that contained infrastructure details linked to PlushDaemon operations.

The researchers found that the tool, internally codenamed dns_cheat_v2 by its developers, represents a critical component in the group’s attack infrastructure.

The analysis revealed how this network implant functions to intercept and redirect DNS queries, essentially hijacking the normal update process users expect from legitimate software.

The attack demonstrates a multi-stage infection process designed to evade traditional security defenses.

Once attackers compromise a network device such as a router through vulnerability exploitation or weak credentials, EdgeStepper begins its operation by intercepting DNS traffic.

When a user attempts to update software like Sogou Pinyin or similar Chinese applications, the malware redirects the connection to an attacker-controlled server.

This hijacking node then instructs the legitimate software to download a malicious DLL file instead of the genuine update.

DNS Interception and Traffic Redirection Mechanism

The technical foundation of EdgeStepper’s effectiveness lies in its elegant yet dangerous approach to network manipulation.

Written in Go programming language using the GoFrame framework and compiled for MIPS32 processors, the malware begins operation by reading an encrypted configuration file named bioset.conf.

The decryption process uses AES CBC encryption with a default key and initialization vector derived from the string “I Love Go Frame,” which is part of the GoFrame library’s standard implementation.

Once decrypted, the configuration reveals two critical parameters: toPort specifies the listening port, while host identifies the domain name of the malicious DNS node.

EdgeStepper then initializes two core systems called Distributor and Ruler. The Distributor component resolves the IP address of the malicious DNS node and coordinates the traffic flow, while the Ruler system issues iptables commands to redirect all UDP traffic on port 53 to EdgeStepper’s designated port.

The malware accomplishes this redirection using the command: “iptables -t nat -I PREROUTING -p udp –dport 53 -j REDIRECT –to-port [value_from_toPort]”.

This command essentially forces all DNS requests from devices on the network to pass through EdgeStepper before reaching legitimate DNS servers, creating a complete man-in-the-middle position that allows perfect interception and modification of update instructions sent to software applications.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.