PlushDaemon, a China-linked advanced persistent threat (APT) group, has launched a supply chain attack against a South Korean VPN provider. Reports reveal that this attack involved replacing the legitimate VPN installer with a compromised version. This altered installer deployed SlowStepper, a backdoor featuring over 30 components designed for data collection and espionage.
PlushDaemon, active since 2019, focuses on targets in China, Taiwan, South Korea, and other regions. Central to its methods is exploiting vulnerabilities in software update channels and web servers. For example, the group recently used an unknown flaw in the Apache HTTP server to infiltrate networks.
In May 2024, researchers detected malicious code within an NSIS installer from the VPN provider’s website. Victims downloading this version unknowingly installed the backdoor along with the legitimate software. Several users from industries like semiconductors and software development were affected, with incidents traced back to late 2023 in Japan and China.
The attack starts with the execution of the compromised installer, which embeds persistence mechanisms and launches multiple malicious scripts. These scripts bypass security tools and deploy SlowStepper. This backdoor utilizes tools written in Python, Go, and C++ to collect data, record audio and video, and perform surveillance.
The backdoor’s command-and-control (C&C) system uses DNS queries to obtain IP addresses for its servers. If connections fail, it relies on fallback methods to maintain communication. Its commands include capturing system data, executing scripts, and uninstalling itself if needed.
Interestingly, SlowStepper offers unique features, such as activating a custom shell for executing remote commands. Researchers also found related tools in public repositories, highlighting PlushDaemon’s extensive toolkit. This group has diligently developed a robust espionage platform, making it a significant cyber threat.
Preventing the Threat
Organizations should prioritize regular software updates and implement strict code-signing protocols for software distribution. Training employees to detect phishing and supply chain attacks is crucial. Deploying advanced endpoint detection systems and monitoring DNS activity can further reduce risks. Collaborating with cybersecurity experts for regular threat assessments also strengthens defenses against sophisticated attackers like PlushDaemon.