- China-aligned PlushDaemon deploys malware through compromised routers
- PlushDaemon deploys LittleDaemon and DaemonLogistics on network devices
- The final payload, SlowStepper, can run commands and deploy spyware
China-aligned hacking group PlushDaemon has been spotted by ESET targeting routers and other network devices with malware to launch supply chain attacks.
The cybersecurity experts note the group has been active since 2018, and has so far deployed attacks against targets in the United States, New Zealand, Cambodia, Hong Kong, Taiwan, and mainland China.
The group deploys the EdgeStepper implant on network devices by exploiting software vulnerabilities, or by using default administrative credentials that have not been changed on the targeted infrastructure.
PlushDaemon strikes routers with malware
ESET researchers studied how the attack unfolded against software input method Sogou Pinyin.
Once EdgeStepper has been deployed, the implant will begin redirecting incoming DNS queries that relate to software updates to a malicious DNS node, which then directs software updates to a malicious IP address used for hijacking.
Rather than receiving a software update from the legitimate node, a DLL file containing the LittleDaemon malware downloader is served from the hijacking node. LittleDaemon then serves the DaemonicLogistics malware dropper which is executed in memory, retrieving the final step in the attack: SlowStepper.
Slowstepper can perform a range of malicious actions, such as pulling system information, deploying Python-based spyware to log keystrokes and steal credentials, or execute files and run commands. Due to the nature of PlushDaemon’s attack vector, the group has “the capability to compromise targets anywhere in the world.”
For more information on indicators of compromise and technical details on the malware, take a look at ESET’s Research on PlushDaemon.
