Full Report
The threat actor known as PlushDaemon has been observed using a previously undocumented Go-based network backdoor codenamed EdgeStepper to facilitate adversary-in-the-middle (AitM) attacks. EdgeStepper "redirects all DNS queries to an external, malicious hijacking node, effectively rerouting the traffic from legitimate infrastructure used for software updates to attacker-controlled infrastructure
Analysis Summary
# Tool/Technique: EdgeStepper
## Overview
EdgeStepper is a previously undocumented Go-based network backdoor used by the threat actor PlushDaemon primarily to facilitate Adversary-in-the-Middle (AitM) attacks. Its core function is to redirect all DNS queries to a malicious hijacking node, thereby rerouting traffic intended for legitimate software update infrastructure to attacker-controlled infrastructure.
## Technical Details
- Type: Malware (Network Backdoor)
- Platform: Likely Linux/Unix-like systems capable of running Go binaries and utilizing `iptables` (implied by functionality targeting edge network devices like routers).
- Capabilities: DNS hijacking, interception of software update traffic, command execution structure (via modules).
- First Seen: Not specified in the text, but associated actor PlushDaemon active since at least 2018.
## MITRE ATT&CK Mapping
- T1557 - Adversary-in-the-Middle
- T1557.001 - Man-in-the-Middle: Network Sniffing (Implied goal of rerouting traffic)
- T1071 - Application Layer Protocol
- T1071.004 - Application Layer Protocol: DNS (Core mechanism for hijacking)
- T1190 - Exploit Public-Facing Application (Likely initial access method to deploy the implant)
- TA0011 - Command and Control (Used to communicate with hijacking nodes)
## Functionality
### Core Capabilities
- **DNS Hijacking:** Redirects DNS queries to a malicious node controlled by the adversary.
- **Software Update Interception:** Specifically checks if the queried domain relates to software updates. If so, it replies with the IP address of the hijacking node (or its own IP if it serves both DNS and hijacking functions).
- **Network Filter Configuration:** Deploys an `Ruler` component responsible for configuring IP packet filter rules using `iptables`.
- **Malware Staging:** Used to hijack updates for Chinese software (e.g., Sogou Pinyin) to deliver secondary payloads like the LittleDaemon DLL.
### Advanced Features
- **Modular Structure:** Consists of two main components: a **Distributor** module (resolves the DNS node domain) and a **Ruler** component (`iptables` configuration).
- **Chaining of Payloads:** Can deploy other implants like LittleDaemon, which in turn fetches DaemonicLogistics to install the more feature-rich SlowStepper backdoor if it is not already present.
## Indicators of Compromise
- File Hashes: [Not specified]
- File Names: [Not specified]
- Registry Keys: [Not specified]
- Network Indicators:
- DNS Node Domain: `test[.]dsc[.]wcsset[.]com` (associated with the Distributor module)
- Behavioral Indicators:
- Modification of `iptables` rules.
- DNS responses pointing update domains to non-standard IPs.
- Attempted installation/loading of `popup_4.2.0.2246.dll` (LittleDaemon).
## Associated Threat Actors
- PlushDaemon (China-aligned APT group, active since at least 2018).
## Detection Methods
- Signature-based detection: Detection based on known EdgeStepper binary signatures (if available).
- Behavioral detection: Monitoring for unauthorized configuration changes to `iptables`, especially those related to redirecting outgoing DNS or HTTP/HTTPS traffic targeting known software update domains.
- YARA rules: [Not specified]
## Mitigation Strategies
- **DNS Security:** Implement DNS sinkholing for suspicious outbound DNS queries or utilize DNS security extensions (DNSSEC) where possible.
- **Network Segmentation:** Limit the reachability of critical network devices (like routers) used for initial access.
- **Patch Management:** Eliminate weak credentials or unpatched vulnerabilities on edge devices used as initial entry points.
- **Endpoint Visibility:** Monitor for the execution of Go binaries exhibiting network beaconing or modification of system firewall rules (`iptables`).
## Related Tools/Techniques
- **SlowStepper:** A feature-rich implant deployed by PlushDaemon, sometimes fetched after EdgeStepper's initial compromise.
- **LittleDaemon:** First-stage payload delivered via hijacked updates orchestrated by EdgeStepper.
- **DaemonicLogistics:** Downloader used to fetch SlowStepper.
- **AitM Poisoning techniques:** Used broadly alongside other China-affiliated groups like LuoYu, Evasive Panda, BlackTech, TheWizards APT, Blackwood, and FontGoblin.