PlushDaemon compromises network devices for adversary-in-the-middle attacks

ESET researchers provide insights into how PlushDaemon conducts adversary-in-the-middle attacks using a previously undocumented network implant known as EdgeStepper. This implant redirects all DNS queries to a malicious hijacking node, effectively rerouting traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure.

Key points in this blogpost:

  • We analyzed the network implant EdgeStepper to understand how PlushDaemon attackers compromise their targets.
  • We provide an analysis of LittleDaemon and DaemonicLogistics, two downloaders that deploy the group’s signature SlowStepper backdoor on Windows machines.

PlushDaemon profile

PlushDaemon is a threat actor aligned with China, active since at least 2018, engaging in espionage operations against individuals and entities in various countries. They use a custom backdoor known as SlowStepper and employ EdgeStepper to hijack legitimate updates by redirecting traffic to attacker-controlled servers. Additionally, they have exploited vulnerabilities in web servers and conducted a supply-chain attack in 2023.

Overview

In 2024, during research on PlushDaemon’s activities, including a supply-chain compromise in South Korea, an ELF file submitted to VirusTotal contained subdomains from PlushDaemon’s infrastructure. This file, named bioset, was hosted on a likely compromised server. Internally named dns_cheat_v2, EdgeStepper (or bioset) forwards DNS traffic to a malicious DNS node, enabling the redirection of software update traffic to a malicious node.

Victimology

PlushDaemon has compromised individuals and organizations in various regions since 2019, redirecting software updates to malicious nodes. Victims include entities in the United States, Taiwan, China, Hong Kong, New Zealand, and Cambodia.

Adversary-in-the-middle attack overview

PlushDaemon compromises network devices to deploy EdgeStepper, which redirects DNS queries to a malicious node, intercepting software update traffic. This allows them to serve malicious updates to targeted systems, as illustrated in Figures 2 to 5.

EdgeStepper

Originally named dns_cheat_v2, EdgeStepper is developed in Go using the GoFrame framework and compiled for MIPS32 processors. It decrypts configuration data from /etc/bioset.conf using AES CBC encryption. The decrypted configuration includes details like the port and host information used for malicious activities.

The decrypted configuration specifies that the “toPort” parameter determines the port where EdgeStepper listens, and the “host” parameter specifies the domain that resolves to the IP address(es) of the DNS node for forwarding DNS query packets.

There is an unused configuration block in the EdgeStepper binary with the domain “test.dsc.wcsset[.]com” resolving to “47.242.198[.]250”, which was identified as the source of the malicious update. This domain still resolves to the same IP address at the time of writing.

After loading its configuration, EdgeStepper initializes the Distributor system and the Ruler system.

The Distributor system resolves the IP address(es) associated with the “host” domain and invokes the Ruler system to redirect traffic on port 53 to port 1090, acting as a DNS proxy.

The Ruler system uses the iptables command to redirect UDP traffic on port 53 to the port specified by “toPort” in the configuration. It also accepts packets on that port and removes the rules when terminating the attack.

LittleDaemon is the first stage deployed on the victim’s machine through hijacked updates, communicating with the hijacking node to obtain the DaemonicLogistics downloader. DaemonicLogistics is deployed to download and deploy the SlowStepper implant.

DaemonicLogistics interprets HTTP status codes from the hijacking node as commands, performing actions listed in Table 1. It communicates with the server using specific URLs and parameters, downloading files and executing commands based on the server’s responses. DaemonicLogistics initiated two requests to download the SlowStepper payload files. The first request was made to ime.sogou.com/update/file6.bdat, followed by a request to ime.sogou.com/update/file2.bdat.

The initial response from the server in both cases contained a distinct magic value:

  • Upon receiving the first response, the magic value in hexadecimal format was 50 4B 03 04 0A 1B 2C 3D (PK\3\4\A\1B\2C\3C):

    DaemonicLogistics verifies that the first eight bytes of the received data match this magic value. If the condition is met, the data is saved to %PROGRAMDATA%\Tencent\QQUpdateMgr\UpdateFiles\logo.gif.

  • In response to the second request, the magic value in hex was 47 49 46 38 39 61 10 10 (GIF89a\10\10)

    In this case, DaemonicLogistics does not validate the specific magic value. When the previous magic value check fails, it proceeds to decrypt the data using XOR operations. The decrypted data includes files that are written to specified paths on the disk..

Conclusion

We delved into the EdgeStepper network implant, which facilitates PlushDaemon’s adversary-in-the-middle tactics for intercepting updates within a targeted network. Additionally, we scrutinized the LittleDaemon and DaemonicLogistics tools, working in tandem to deploy the SlowStepper implant on Windows systems. These implants empower PlushDaemon to compromise targets globally.

For further details regarding our research featured on WeLiveSecurity, reach out to us at threatintel@eset.com.

ESET Research provides exclusive APT intelligence reports and data feeds. For inquiries about this service, explore the ESET Threat Intelligence page.

IoCs

You can access a comprehensive list of indicators of compromise and samples on our GitHub repository.

Files

SHA-1 Filename ESET detection name Description
8F569641691ECB3888CD4C11932A5B8E13F04B07 bioset Linux/Agent.AEP EdgeStepper.
06177810D61A69F34091CC9689B813740D4C260F bioset.conf Win32/Rozena.BXX Encrypted configuration for EdgeStepper.
69974455D8C13C5D57C1EE91E147FF9AED49AEBC popup_4.2.0.2246.dll Win32/Agent.AGXK LittleDaemon.
2857BC730952682D39F426D185769938E839A125 sogou_wubi_15.4.0.2508_0000.exe Win32/Agent.AFDT LittleDaemon.

Network

IP Domain Hosting provider First seen Details
8.212.132[.]120 ds20221202.dsc.wcsset[.]com Alibaba (US) Technology Co., Ltd. 2024‑07‑12 DNS/Hijacking node.
47.242.198[.]250 test.dsc.wcsset[.]com Alibaba Cloud LLC 2024‑07‑12 DNS/Hijacking node.

MITRE ATT&CK techniques

This table was constructed using version 18 of the MITRE ATT&CK framework.

Tactic ID Name Description
Resource Development T1583.001 Acquire Infrastructure: Domains PlushDaemon leverages EdgeStepper to divert traffic to specific subdomains within the PlushDaemon infrastructure on wcsset[.]com.
T1583.002 Acquire Infrastructure: DNS Server Segments of the PlushDaemon infrastructure serve as hosts for its malicious DNS nodes.
T1583.004 Acquire Infrastructure: Server PlushDaemon has procured servers for housing its DNS/hijacking nodes and C&C servers.
T1608.001 Stage Capabilities: Upload Malware PlushDaemon hosts its payloads on DNS/hijacking servers.
Initial Access T1659 Content Injection Hijacked nodes from PlushDaemon intercept and respond to legitimate software with directives to download malware like LittleDaemon.
Execution T1106 Native API DaemonicLogistics triggers the SlowStepper implant using the ShellExecute API.
Defense Evasion T1070.004 Indicator Removal: File Deletion Certain variants of LittleDaemon can self-delete.
T1036.005 Masquerading: Match Legitimate Name or Location DaemonicLogistics establishes a subdirectory named Tencent to store its files.
T1036.008 Masquerading: Masquerade File Type DaemonicLogistics and the loader for SlowStepper decrypt files posing as ZIP and GIF formats.
T1027.009 Obfuscated Files or Information: Embedded Payloads Files disguised as ZIPs and GIFs contain encrypted embedded components.
T1027.013 Obfuscated Files or Information: Encrypted/Encoded File Elements of the SlowStepper implant are encrypted on the disk.
Discovery T1518.001 Software Discovery: Security Software Discovery DaemonicLogistics scans for the existence of 360tray.exe, a component of 360 Total Security.
T1016 System Network Configuration Discovery DaemonicLogistics tries to retrieve the MAC address of the ethernet or Wi-Fi adapter.
T1057 Process Discovery DaemonicLogistics enumerates processes.
Command and Control T1071.001 Application Layer Protocol: Web Protocols LittleDaemon and DaemonicLogistics utilize HTTP for communication with their server.
T1573 Encrypted Channel LittleDaemon fetches the encrypted DaemonicLogistics via HTTP, which in turn downloads the encrypted SlowStepper implant via HTTP.
T1665 Hide Infrastructure LittleDaemon and DaemonicLogistics camouflage their downloads by sending HTTP requests to legitimate domains.

Can you please rewrite the sentence you provided for clarification? sentence: Please make sure to lock the door before you leave the house.

Don’t forget to lock the door when you go out.

Leave a Reply

Your email address will not be published. Required fields are marked *