A previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023, according to findings from cybersecurity firm ESET.
Attack Overview
"The attackers replaced the legitimate installer with one that also deployed the group's signature implant, which we have named SlowStepper – a feature-rich backdoor with a toolkit of more than 30 components," ESET researcher Facundo Muñoz revealed in a technical report shared with The Hacker News.
PlushDaemon is assessed to be a China-nexus group active since at least 2019, targeting individuals and organizations in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. A bespoke backdoor called SlowStepper is central to its operations. This backdoor is described as a large toolkit consisting of around 30 modules, programmed in C++, Python, and Go.
Exploitation Techniques
A crucial aspect of PlushDaemon’s attacks is its exploitation of legitimate software update channels and vulnerabilities in web servers to gain initial access to target networks. ESET’s findings indicate that PlushDaemon exploited an unknown vulnerability in an Apache HTTP server from an organization in Hong Kong in 2023.
ESET noticed malicious code embedded in May 2024 within the NSIS installer for Windows, which was downloaded from the website of a VPN provider named IPany (ipany[.]kr). The compromised installer delivered both the legitimate VPN software and the SlowStepper backdoor. Although the malicious installer has since been removed, anyone who downloaded and installed the infected file could have been at risk.
Telemetry data gathered by ESET indicates that several users attempted to install the compromised software on networks associated with a semiconductor company and a software development firm in South Korea. Victims were also recorded in Japan and China as early as November and December 2023, respectively.
Attack Chain and Payload Delivery
The attack chain begins with the execution of the installer (“IPanyVPNsetup.exe”), which establishes persistence and launches a loader (“AutoMsg.dll”). This loader executes shellcode to load another DLL (“EncMgr.pkg”), which subsequently extracts two additional files (“NetNative.pkg” and “FeatureFlag.pkg”). These files sideload a malicious DLL file (“lregdll.dll”) using a renamed utility (“PerfWatson.exe”, a modified version of regcap.exe from Microsoft Visual Studio).
Ultimately, the SlowStepper implant is loaded from the “winlogin.gif” file present within “FeatureFlag.pkg”. SlowStepper has been in development since January 2019, with the latest version (0.2.12) compiled in June 2024. However, the version deployed in this attack (0.2.10 Lite) contains fewer features than other versions.
SlowStepper Backdoor Capabilities
The SlowStepper backdoor is notable for its extensive suite of tools written in Python and Go. These tools enable data collection and surveillance, including:
- Browser Data Harvesting: Extracts data from Google Chrome, Microsoft Edge, Opera, Brave, Vivaldi, Mozilla Firefox, and other browsers.
- Camera Access: Takes photos if a camera is connected.
- Information Gathering: Collects files with extensions such as .txt, .doc, .xls, and more, and harvests data from applications like WeChat, Tencent QQ, and Kingsoft WPS.
- Command Execution: Executes arbitrary commands and payloads hosted remotely.
- Custom Shell Activation: Grants attackers the ability to update backdoor components, run Python modules, and uninstall itself.
- Network and Location Tracking: Retrieves wireless network credentials and GPS coordinates of compromised machines.
Additional modules allow for screen recording, Telegram data extraction, file system scanning, and more. These tools are hosted on the Chinese code repository platform GitCode, with links to a Gitee account under investigation.
Command-and-Control Mechanism
SlowStepper’s command-and-control (C&C) mechanism is sophisticated. It constructs DNS queries to fetch TXT records from the domain 7051.gsm.360safe[.]company via public DNS servers (114DNS, Google, and Alibaba Public DNS). From this data, it selects one of 10 IP addresses to use as a C&C server. If these attempts fail, the backdoor uses a fallback domain (st.360safe[.]company) to establish communication.
The backdoor’s capabilities include capturing system information, running Python modules, downloading and executing files, and harvesting sensitive data. A unique feature is its ability to activate a custom shell via the “0x3A” command, which enhances its espionage functionality.
Espionage Tools and Implications
PlushDaemon’s toolkit also includes several programs written in Golang for reverse proxy and file download functionalities. ESET’s analysis highlights SlowStepper’s multistage C&C protocol, extensive Python module library, and advanced espionage capabilities, making it a formidable threat.
Conclusion
"The numerous components in the PlushDaemon toolset and its rich version history show that, while previously unknown, this China-aligned APT group has been diligently developing a wide array of tools, making it a significant threat to watch for," said Muñoz.
This revelation underscores the growing sophistication of supply chain attacks and highlights the importance of securing software distribution channels to mitigate such threats.
