The threat actor known as PlushDaemon, assessed to be a sophisticated China-aligned group active since at least 2018, has been observed deploying a previously undocumented network backdoor named EdgeStepper. This Go-based tool is central to facilitating Adversary-in-the-Middle (AitM) attacks. ESET security researcher Facundo Muñoz explained that EdgeStepper’s primary function is to redirect all DNS queries to an external, malicious hijacking node. This rerouting effectively steers traffic away from legitimate software update infrastructure toward servers under the attacker’s control, a technique of initial access and lateral movement that has been increasingly adopted by China-affiliated Advanced Persistent Threat (APT) clusters in the last two years.
PlushDaemon’s targets have included a diverse array of entities across the U.S., New Zealand, Cambodia, Hong Kong, Taiwan, South Korea, and mainland China. Earlier in 2023, the group was first documented by ESET for its supply chain attack against a South Korean VPN provider named IPany. That campaign specifically targeted a semiconductor company and a software development firm in South Korea with a feature-rich implant known as SlowStepper. The adversary’s growing victimology also encompasses a university in Beijing, a Taiwanese electronics manufacturer, and companies in the automotive and manufacturing sectors, with recent activity noting targets in Cambodia earlier this year.
The entire attack sequence begins with the threat actor compromising an edge network device, such as a router, to which the target is likely to connect. This compromise is achieved either by exploiting a security flaw in the device’s software or by using weak credentials, allowing the threat actor to deploy EdgeStepper onto the compromised infrastructure. Once deployed, EdgeStepper commences its redirection of DNS queries to a malicious DNS node. This node is designed to verify if the domain in the query relates to software updates; if it does, the node replies with the IP address of the hijacking server. In some observed cases, ESET noted that the DNS node and the hijacking node were the same server, which simply replied to the DNS queries with its own IP address.
Internally, EdgeStepper is structurally composed of two primary modules. The first is the Distributor module, which is tasked with resolving the IP address associated with a specific DNS node domain. The second is the Ruler component, which is subsequently invoked by the Distributor. The Ruler is responsible for configuring the necessary IP packet filter rules on the compromised device, typically utilizing iptables, to enforce the malicious DNS redirection. This mechanism is crucial for the group’s ability to maintain control over the traffic flow and execute the subsequent stages of their attack chain.
The ultimate objective of the EdgeStepper operation is to hijack the update channels of specific software, including several Chinese applications like Sogou Pinyin. This hijacking allows the attackers to deliver a malicious DLL, known as LittleDaemon, from a threat actor-controlled server. LittleDaemon serves as a first-stage implant, designed to communicate with the attacker’s infrastructure to fetch a downloader called DaemonicLogistics, provided the more advanced SlowStepper backdoor is not already running on the infected system. The role of DaemonicLogistics is straightforward: it downloads the full SlowStepper backdoor from the server and executes it. SlowStepper is a powerful tool with an extensive feature set for gathering system information, exfiltrating files, stealing browser credentials, extracting data from numerous messaging applications, and even includes a feature for self-uninstallation.
Reference:
