ESET researchers have unveiled a cyberespionage operation carried out by PlushDaemon, a China-aligned Advanced Persistent Threat (APT) group. This operation involved compromising the supply chain of a South Korean VPN software in 2023, where the attackers replaced the legitimate installer with one that also deployed a sophisticated backdoor known as SlowStepper. This backdoor, unique to PlushDaemon, features a toolkit comprising more than 30 modules.

Key Points

PlushDaemon is a China-aligned APT group focused on cyberespionage. - Known for hijacking legitimate software updates, PlushDaemon has compromised a South Korean VPN developer. - The group utilizes several unique implants, including SlowStepper for Windows. - SlowStepper features over 30 modules written in C++, Python, and Go.

Attack Overview

In May 2024, malicious code was detected in a Windows installer from the website of the legitimate VPN software IPany, developed by a South Korean company. The installer, which combined both genuine and malicious components, deployed the SlowStepper backdoor. Once notified, the VPN developer promptly removed the compromised installer from their site. Attributing this attack to PlushDaemon, active since at least 2019, the group is linked to cyberespionage in China, Taiwan, Hong Kong, South Korea, the USA, and New Zealand. Using SlowStepper, PlushDaemon infiltrates systems by redirecting legitimate update traffic to attacker-controlled servers. The group has also exploited vulnerabilities in legitimate web servers. ESet telemetry indicated that several users of IPany VPN, including a South Korean semiconductor company, attempted to install the compromised software. Initial victims appeared in Japan in November 2023 and China in December 2023.

Technical Details

Upon execution of the malicious IPanyVPNsetup.exe installer, directories are created and files are deployed, establishing persistence by modifying registry entries. The AutoMsg.dll loader initiates the main loading sequence, executing SlowStepper components that install and maintain the backdoor's presence on the system. SlowStepper, detected as version 0.2.10 Lite, lacks some of the features present in other variants. The malware communicates with its command-and-control (C&C) servers via dynamically fetched DNS records. It retrieves C&C server addresses using a base64-encoded AES-encrypted string. Command execution via SlowStepper uses a shell-like interface, capable of executing Python modules and managing file systems through a series of commands.

Command and Control

SlowStepper’s communication employs a multi-stage approach, querying DNS to obtain C&C server addresses. If primary servers are unavailable, the malware resolves alternative domains for fallback communication.

This analysis highlights PlushDaemon’s advanced capabilities and persistence in developing a wide-ranging toolkit, marking it as a significant threat. Their supply chain compromise of a Korean VPN demonstrates the group's ongoing efforts to expand its cyberespionage operations, particularly in East Asia.

Further Information For more details on this research, please contact ESET Research or visit their Threat Intelligence page. Comprehensive indicators of compromise can be found in ESET's GitHub repository.

The link has been copied!