Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

PlushDaemon APT and SlowStepper Malware Attack on IPany VPN

A recent cyberespionage campaign has been uncovered, involving the advanced persistent threat (APT) group known as PlushDaemon, which has targeted organizations in East Asia, including South Korea, China, and Japan.

Key Details of the Attack

  • Target: The primary target in this campaign was a South Korean VPN service provider, IPany. The attackers conducted a supply chain attack by trojanizing the installer for IPany's VPN software1.
  • Malware: The trojanized installer, when executed, deploys a loader that eventually runs the SlowStepper malware. SlowStepper is a sophisticated malware that supports various commands, enabling the theft of extensive system information, file deletion, execution of Python modules, and self-deletion1.
  • Impact: The attack affected multiple organizations, including a semiconductor firm and a software development company in South Korea. Other targets included entities in China and Japan1.

PlushDaemon APT Group

  • Origin and Alignment: The PlushDaemon APT group is aligned with Chinese interests and has been operating diligently to develop a wide array of tools, making it a significant threat to watch for1.
  • Toolset and History: The group's toolset is rich and has a significant version history, indicating that while previously unknown, PlushDaemon has been actively developing and refining its tools over time1.

Technical Details

  • Infection Vector: The attack began with a supply chain compromise where the legitimate installer for IPany's VPN software was replaced with a trojanized version. This malicious installer triggered the deployment of a loader and subsequent DLLs, ultimately leading to the execution of SlowStepper malware1.
  • Capabilities: SlowStepper malware is designed to perform various malicious activities, including stealing system information, deleting files, executing Python modules, and self-deletion to evade detection1.

Mitigation and Response

  • Analysis by ESET: ESET's analysis highlighted the complexity and sophistication of the PlushDaemon toolset, emphasizing the need for heightened vigilance and robust security measures to counter such threats1.
  • Recommendations: To mitigate risks, organizations should apply patches promptly, implement network segmentation, monitor for indicators of compromise, and strengthen incident response plans. Adopting multi-factor authentication and engaging in threat intelligence monitoring are also crucial4.

Conclusion

The PlushDaemon APT group's attack on IPany VPN and other East Asian organizations underscores the evolving landscape of cyberespionage and the need for enhanced security measures. The use of sophisticated malware like SlowStepper highlights the capabilities of these threat actors and the importance of continuous monitoring and robust security practices.

Sources

  • [SC World: New Chinese cyberespionage campaign targeted South Korean VPN service]1
  • [Security Links: Latest News for Cybersecurity]4