ESET researchers have uncovered a previously undisclosed APT group, PlushDaemon, linked to China, which executed a supply-chain attack on a South Korean VPN developer in 2023. The attackers replaced the legitimate VPN installer with a malicious version that deployed a sophisticated backdoor known as SlowStepper. This backdoor features a comprehensive toolkit with over 30 components, allowing extensive cyber espionage capabilities. Affected: IPany VPN
Keypoints :
- PlushDaemon is a China-aligned APT group involved in cyberespionage.
- The group hijacks legitimate updates and has executed a supply-chain attack on a South Korean VPN developer.
- SlowStepper is a custom backdoor exclusively used by PlushDaemon.
- SlowStepper comprises a toolkit of approximately 30 modules, developed in C++, Python, and Go.
- The malicious installer was detected in May 2024, leading to the removal of the compromised software from the developer’s website.
MITRE Techniques :
- Resource Development (T1583.001): PlushDaemon has acquired domain names for its C&C infrastructure.
- Initial Access (T1195.002): Compromised the supply chain of a VPN developer by replacing the original installer.
- Execution (T1059.003): SlowStepper uses cmd.exe to execute commands on a compromised machine.
- Persistence (T1547.001): Establishes persistence by adding an entry in the Windows Registry.
- Command and Control (T1071.004): SlowStepper retrieves a DNS TXT record to obtain a list of C&C servers.
Indicator of Compromise :
- [file hash] A8AE42884A8EDFA17E9D67AE5BEBE7D196C3A7BF
- [file name] AutoMsg.dll
- [file hash] 068FD2D209C0BBB0C6FC14E88D63F92441163233
- [file name] IPanyVPNsetup.exe
- [url] https://ipany[.]kr/download/IPanyVPNsetup.zip
- Check the article for all found IoCs.
Full Research: https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-supply-chain-korean-vpn-service/