A previously undocumented China-aligned advanced persistent threat (APT) group named PlushDaemon has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023, according to new findings from ESET.
“The attackers replaced the legitimate installer with one that also deployed the group’s signature implant that we have named SlowStepper – a feature-rich backdoor with a toolkit of more than 30 components,” ESET researcher Facundo Muñoz said in a technical report shared with The Hacker News.
PlushDaemon is assessed to be a China-nexus group that has been operational since at least 2019, targeting individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.
Central to its operations is a bespoke backdoor called SlowStepper, which is described as a large toolkit consisting of around 30 modules, programmed in C++, Python, and Go.
Another crucial aspect of its attacks is the hijacking of legitimate software update channels and exploitation of vulnerabilities in web servers to gain initial access to the target network.
The Slovakian cybersecurity company said it noticed in May 2024 malicious code embedded within the NSIS installer for Windows downloaded from the website of a VPN software provider named IPany (“ipany[.]kr/download/IPanyVPNsetup.zip”).
The rogue version of the installer, which has since been removed from the website, is designed to drop the legitimate software as well as the SlowStepper backdoor. It’s currently not clear who the exact targets of the supply chain attack are, although any individual or entity downloading the booby-trapped ZIP archive could have been at risk.
Telemetry data gathered by ESET shows that several users attempted to install the trojanized software in the networks associated with a semiconductor company and an unidentified software development company in South Korea. The oldest victims were recorded from Japan and Chia in November and December 2023, respectively.
The attack chain starts with the execution of the installer (“IPanyVPNsetup.exe”), which proceeds to establish persistence on the host between reboots and launches a loader (“AutoMsg.dll”) that, in turn, is responsible for running shellcode that loads another DLL (“EncMgr.pkg”).
The DLL subsequently extracts two more files (“NetNative.pkg” and “FeatureFlag.pkg”) that are utilized to sideload a malicious DLL file (“lregdll.dll”) using “PerfWatson.exe,” which is a renamed version of a legitimate command-line utility named regcap.exe that’s part of Microsoft Visual Studio.
The end goal of the DLL is to load the SlowStepper implant from the winlogin.gif file present within FeatureFlag.pkg. SlowStepper is believed to be in the works since January 2019 (version 0.1.7), with the latest iteration (0.2.12) compiled in June 2024.
“Although the code contains hundreds of functions, the particular variant used in the supply-chain compromise of the IPany VPN software appears to be version 0.2.10 Lite, according to the backdoor’s code,” Muñoz said. “The so-called “Lite” version indeed contains fewer features than other previous and newer versions.”
Both the full and Lite versions make use of an extensive suite of tools written in Python and Go that allows for the gathering of data and clandestine surveillance through the recording of audio and videos. The tools are said to have been hosted in the Chinese code repository platform GitCode.
As for command-and-control (C&C), SlowStepper constructs a DNS query to obtain a TXT record for the domain 7051.gsm.360safe[.]company to one of the three public DNS servers (114DNS, Google, and Alibaba Public DNS) in order to fetch an array of 10 IP addresses, from which one is chosen for use as a C&C server to process operator-issued commands.
“If, after a number of attempts, it fails to establish a connection to the server, it uses the gethostbyname API on the domain st.360safe[.]company to obtain the IP address mapped to that domain and uses the obtained IP as its fallback C&C server,” Muñoz explained.
The commands run a wide gamut, permitting it to capture exhaustive system information; execute a Python module; delete specific files; run commands via cmd.exe; enumerate the file system; download and execute files; and even uninstall itself. A rather unusual feature of the backdoor is the activation of a custom shell on receipt of the “0x3A” command.
This grants the attacker the ability to execute arbitrary payloads hosted remotely (gcall), update components of the backdoor (update), and run a Python module on the compromised machine (pycall), the last of which downloads a ZIP archive from the GitCode account that contains the Python interpreter and the library to be run in order to collect information of interest –
- Browser, which harvests data from web browsers such as Google Chrome, Microsoft Edge, Opera, Brave, Vivaldi, Cốc Cốc browser, UC Browser, 360 Browser, and Mozilla Firefox
- Camera, which takes photos if a camera is connected to the compromised machine
- CollectInfo, which harvests files matching extensions .txt, .doc, .docx, .xls, .xlsx, .ppt, and .pptx, as well as information from apps like LetsVPN, Tencent QQ, WeChat, Kingsoft WPS, e2eSoft VCam, KuGou, Oray Sunlogin, and ToDesk
- Decode, which downloads a module from the remote repository and decrypts it
- DingTalk, which harvests chat messages from DingTalk
- Download, which downloads non-malicious Python packages
- FileScanner and FileScannerAllDisk, which scans the system for files
- getOperaCookie, which obtains cookies from the Opera browser
- Location, which obtains the IP address of the computer and the GPS coordinates
- qpass, which harvests data from Tencent QQ Browser (likely replaced by the qqpass module)
- qqpass and Webpass, which harvests passwords from Google Chrome, Mozilla Firefox, Tencent QQ Browser, 360 Chrome, and UC Browser
- ScreenRecord, which records the screen
- Telegram, which harvests data from Telegram
- WeChat, which harvests data from WeChat
- WirelessKey, which harvests wireless network information and passwords
ESET said it also identified in the remote code repository several software programs written in Golang that offer reverse proxy and download functionalities.
“This backdoor is notable for its multistage C&C protocol using DNS, and its ability to download and execute dozens of additional Python modules with espionage capabilities,” Muñoz said.
“The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for.”
