PlushDaemon has been making waves since at least 2018. This big threat actor, who we believe is acting in the service of Chinese national interests, is targeting people all over the world. This well-organized cadre has undertaken complex assaults on entities in the United States and New Zealand. They’ve gone after firms in Cambodia, Hong Kong, Taiwan, South Korea, and mainland China. Their most recent tactics include use of a previously undocumented Go-based network backdoor called EdgeStepper, which enables adversary-in-the-middle (AitM) attacks.
The first and most common way that people gain initial access to PlushDaemon is through AitM poisoning. This approach gives them the opportunity to take advantage of software update vulnerabilities, allowing them to deploy first-stage malware – which it refers to as LittleDaemon. This previously-unknown malware connects to a node controlled by the attacker to retrieve an initial downloader, which we’re calling DaemonicLogistics. PlushDaemon focuses on Chinese software, like the well-known Sogou Pinyin IME. It commandeers legitimate update channels to spread its malicious software.
The Mechanics of EdgeStepper
EdgeStepper is comprised of two main components: the Distributor module and the Ruler component. The Distributor module is responsible for resolving the IP address corresponding to a given DNS node domain—”test.dsc.wcsset.com.” After it makes determination that an OS update request is legitimate, it redirects DNS queries to a malicious DNS node.
“Then, EdgeStepper begins redirecting DNS queries to a malicious DNS node that verifies whether the domain in the DNS query message is related to software updates, and if so, it replies with the IP address of the hijacking node.” – Facundo Muñoz
This process makes Fiend the perfect tool for rerouting valuable traffic meant to secure and update devices to infrastructure controlled by attackers. Consequently, they have the potential to undermine targets across the globe.
Targeted Victims
Whether ransomware or some other type of attack, PlushDaemon’s recent activity has hit a wide variety of companies. Notable victims include a university in Beijing, an electronics manufacturing company in Taiwan, and a company within the automotive sector. Their attacks have reached HR that was pursuing diversity leads at a branch of a global Japanese manufacturing conglomerate.
ESET security researcher Facundo Muñoz provided insights into PlushDaemon’s alarming capabilities, emphasizing the group’s extensive reach.
“These implants give PlushDaemon the capability to compromise targets anywhere in the world.” – Facundo Muñoz
The impact of these attacks is enormous. They endanger the whole of government and individual institutions, end in serious risk to our national security and economic wellbeing.
Implications for Cybersecurity
The development of EdgeStepper also represents another level up on the attack methods used by cybercriminals. Attack vectors are growing more sophisticated by the day. Businesses should continue to be on notice and implement a strong posture of cybersecurity to protect themselves from these threats. Through hijacked software updates, we’re witnessing substantial vulnerabilities in our current state of technology. Yet this precarious scenario highlights the clearly present need to strengthen diplomatic security.
“Redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure,” – Facundo Muñoz