Full Report
ESET researchers have discovered a network implant used by the China-aligned PlushDaemon APT group to perform adversary-in-the-middle attacks
Analysis Summary
# Threat Actor: PlushDaemon
## Attribution & Identity
* **Identification:** China-aligned Threat Actor.
* **Aliases/Associations:** Tracked as PlushDaemon by ESET researchers. Active since at least 2018.
## Activity Summary
PlushDaemon is engaged in espionage operations. Their primary confirmed initial access technique currently involves achieving an **Adversary-in-the-Middle (AiTM)** attack by compromising network devices (like routers) to deploy the **EdgeStepper** network implant. This implant hijacks DNS queries related to legitimate software updates, redirecting traffic to attacker-controlled infrastructure to serve malicious updates. Additionally, the group has been observed gaining access via vulnerabilities in web servers and executed a supply-chain attack in 2023.
## Tactics, Techniques & Procedures
- **Initial Access/Network Compromise:** Compromising network devices (routers) potentially via vulnerability exploitation or default credentials to deploy network implants.
- **Adversary-in-the-Middle (AiTM):** Using the **EdgeStepper** implant to redirect DNS queries for legitimate software updates (e.g., Sogou Pinyin) to attacker-controlled hijacking nodes.
- **Installation/Execution:** Utilizing downloaders named **LittleDaemon** and **DaemonicLogistics** to deploy the **SlowStepper** backdoor on Windows machines.
- **Defense Evasion:**
- Removing installation files (LittleDaemon variants).
- Masquerading: Creating a subdirectory named `Tencent` for storing files (DaemonicLogistics).
- Masquerading: Decrypting files that masquerade as ZIP and GIF files (DaemonicLogistics and SlowStepper loader).
- **Obfuscation:** SlowStepper implant components are encrypted on disk; files masquerading as ZIPs/GIFs contain embedded encrypted components.
- **Discovery:**
- Checking for security software (e.g., `360tray.exe`).
- Discovering system network configuration (obtaining MAC addresses).
- Process Discovery (listing running processes).
- **Command and Control (C2):** Using HTTP (Web Protocols) via LittleDaemon and DaemonicLogistics. Utilizing encrypted channels for downloads. Hiding infrastructure by sending HTTP requests to legitimate domains.
- **Execution:** Using the ShellExecute API to execute the SlowStepper implant (DaemonicLogistics).
| MITRE ATT&CK ID | Technique Name |
| :--- | :--- |
| T1106 | Native API |
| T1070.004 | Indicator Removal: File Deletion |
| T1036.005 | Masquerading: Match Legitimate Name or Location |
| T1036.008 | Masquerading: Masquerade File Type |
| T1027.009 | Obfuscated Files or Information: Embedded Payloads |
| T1027.013 | Obfuscated Files or Information: Encrypted/Encoded File |
| T1518.001 | Software Discovery: Security Software Discovery |
| T1016 | System Network Configuration Discovery |
| T1057 | Process Discovery |
| T1071.001 | Application Layer Protocol: Web Protocols |
| T1573 | Encrypted Channel |
| T1665 | Hide Infrastructure |
## Targeting
* **Sectors:** Manufacturing (automotive sector, electronics manufacturing), Education (university).
* **Geography:** China, Taiwan, Hong Kong, South Korea, United States, New Zealand, Cambodia.
* **Victims:** Individuals and organizations within these regions, including a university in Beijing and a Taiwanese electronics manufacturer.
## Tools & Infrastructure
* **Malware Families:**
* **EdgeStepper:** Network implant used for AiTM DNS hijacking (internally called `dns_cheat_v2`).
* **SlowStepper:** Custom backdoor deployed on Windows machines.
* **LittleDaemon:** Downloader used to deploy DaemonicLogistics.
* **DaemonicLogistics:** Downloader used to deploy the SlowStepper implant.
* **Infrastructure:** Malicious DNS nodes and hijacking nodes used to serve malicious updates. (No specific URLs or IPs provided in the source to defang).
## Implications
PlushDaemon employs a sophisticated initial access technique by hijacking established, trusted software update mechanisms via network device compromise. This AiTM strategy allows them to bypass typical perimeter defenses by feeding victims malicious updates masquerading as legitimate ones, providing persistent access via the SlowStepper backdoor. Their targeting spans multiple geographic locations and critical sectors, indicating state-sponsored espionage objectives.
## Mitigations
* Implement strict network monitoring for unusual DNS query redirection, especially involving traffic destined for known software update domains.
* Secure network devices (routers, gateways) thoroughly by changing default credentials and patching associated software to prevent the deployment of implants like EdgeStepper.
* Employ solutions capable of detecting file masquerading (e.g., signatures for encrypted payloads disguised as common files like ZIP or GIF).
* Proactively check for security software presence and employ defense-in-depth against persistence mechanisms like the SlowStepper backdoor.