ESET researchers discovered that China-aligned threat group PlushDaemon performs adversary-in-the-middle attacks using a previously undocumented implant for network devices (e.g., a router) that ESET named EdgeStepper, which redirects all DNS queries to a malicious external DNS server that replies with the address of another node that performs the hijacking of updates.
Effectively rerouting software updates traffic to attacker-controlled infrastructure with the aim of deploying the downloaders LittleDaemon and DaemonicLogistics in targeted machines and to ultimately distribute the SlowStepper implant. SlowStepper is a backdoor toolkit with dozens of components used for cyberespionage. These implants give PlushDaemon the capability to compromise targets anywhere in the world.
Since 2019, this China-aligned group has deployed attacks in the United States, New Zealand, Cambodia, Hong Kong, Taiwan, and mainland China itself. Among their victims were a university in Beijing, a Taiwanese company that manufactures electronics, a company in the automotive sector, and a branch of a Japanese company in the manufacturing sector.
In the discovered attack scenario, PlushDaemon first compromises a network device to which their target might connect; the compromise is probably achieved by exploiting a vulnerability in the software running on the device or through weak and/or well-known default administrative credentials, enabling the attackers to deploy EdgeStepper (and possibly other tools).
“Then, EdgeStepper begins redirecting DNS queries to a malicious DNS node that verifies whether the domain in the DNS query message is related to software updates, and if so, it replies with the IP address of the hijacking node. Alternatively, we have also observed that some servers are both the DNS node and the hijacking node; in those cases, the DNS node replies to DNS queries with its own IP address,” says ESET researcher Facundo Muñoz, who discovered and analyzed the attack. “Several popular Chinese software products had their updates hijacked by PlushDaemon via EdgeStepper,” he adds.
PlushDaemon is a China-aligned threat actor active since at least 2018 that engages in espionage operations against individuals and entities in East Asia-Pacific and the United States. It uses a custom backdoor that ESET tracks as SlowStepper. In the past, ESET Research has observed the group gaining access via vulnerabilities in web servers, and in 2023 it performed a supply-chain attack.
