PlushDaemon Hackers Hijack Software Updates in Supply Chain Attacks
▼ Summary
– The China-linked threat actor ‘PlushDaemon’ uses the EdgeStepper implant to hijack software update traffic for cyberespionage.
– Since 2018, PlushDaemon has targeted entities in the U.S., China, Taiwan, Hong Kong, South Korea, and New Zealand with custom malware like the SlowStepper backdoor.
– The group compromises routers via vulnerabilities or weak passwords to redirect update traffic and deploy malware, including the LittleDaemon downloader and DaemonicLogistics dropper.
– SlowStepper backdoor enables extensive system spying, including data theft, command execution, and use of Python-based spyware tools.
– ESET researchers warn that PlushDaemon’s adversary-in-the-middle capabilities are strong enough to compromise targets globally.
A sophisticated hacking group known as PlushDaemon is actively hijacking legitimate software update channels to deploy custom malware in global cyberespionage campaigns. This China-linked threat actor has been tracked since 2018, targeting entities across the United States, China, Taiwan, Hong Korea, South Korea, and New Zealand. Their operations have impacted electronics manufacturers, academic institutions, and even a Japanese automotive plant located in Cambodia. According to cybersecurity firm ESET, since 2019 the group has increasingly relied on malicious software updates to infiltrate victim networks.
The attack begins when PlushDaemon compromises routers by exploiting known security flaws or weak administrative passwords. Once inside, they install a specialized implant called EdgeStepper, which redirects software update traffic to infrastructure controlled by the attackers. Developed in the Go programming language and compiled as an ELF binary, EdgeStepper intercepts DNS queries and reroutes them to a rogue DNS server after verifying that the domain is used for distributing software updates.
When an unsuspecting user attempts to update their software, they are instead served a first-stage Windows downloader named LittleDaemon. This malware is disguised as a DLL file called ‘popup_4.2.0.2246.dll.’ LittleDaemon then communicates with the attacker’s hijacked node to fetch a second-stage dropper known as DaemonicLogistics, which is decrypted and run directly in the system’s memory.
In the final phase, DaemonicLogistics retrieves the group’s signature backdoor, SlowStepper. This backdoor has previously been linked to attacks against users of the South Korean VPN service IPany, where victims unknowingly downloaded a trojanized installer from the vendor’s official site. SlowStepper provides extensive control over infected systems, allowing operators to gather detailed system data, perform file operations, execute commands, and deploy Python-based spyware tools capable of stealing browser data, capturing keystrokes, and harvesting login credentials.
ESET researchers confirmed that PlushDaemon has hijacked updates for Sogou Pinyin, a widely used Chinese input method editor, but note that other software products have been compromised using the same technique. The group’s advanced adversary-in-the-middle capabilities are considered powerful enough to compromise targets anywhere in the world.
Today’s published report includes comprehensive technical details for all newly identified malware families, along with a full set of indicators of compromise covering malicious files, IP addresses, and domains associated with the EdgeStepper implant.
(Source: Bleeping Computer)
