Ready to Simplify Trust Management? Join Free Webinar to See DigiCert ONE in Action

PlushDaemon APT and the Supply Chain Attack on a South Korean VPN Provider
Overview
A recently identified China-aligned Advanced Persistent Threat (APT) group, known as PlushDaemon, has been linked to a sophisticated supply chain attack targeting a South Korean virtual private network (VPN) provider. Here are the key details of the attack and the associated malware:
PlushDaemon APT Group
- PlushDaemon is assessed to be a China-nexus group that has been operational since at least 2019. The group has targeted individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand12.
Supply Chain Attack
- The attack involved compromising the supply chain of a South Korean VPN provider, specifically IPany. The attackers replaced the legitimate installer of the VPN software with a malicious version that deployed the SlowStepper backdoor12.
SlowStepper Backdoor
- SlowStepper is a feature-rich backdoor with a toolkit consisting of over 30 components, written in C++, Python, and Go. This backdoor is notable for its multistage command-and-control (C&C) protocol using DNS and its ability to download and execute additional Python modules with espionage capabilities12.
Technical Details of the Attack
- Initial Access: The attackers embedded malicious code within the NSIS installer for Windows downloaded from the VPN software provider's website. The rogue installer dropped both the legitimate VPN software and the SlowStepper backdoor1.
- Persistence and Execution: The installer established persistence on the host and launched a loader ("AutoMsg.dll") that ran shellcode to load another DLL ("EncMgr.pkg"). This DLL extracted additional files ("NetNative.pkg" and "FeatureFlag.pkg") which were used to sideload a malicious DLL file ("lregdll.dll") using a renamed version of the legitimate command-line utility "regcap.exe"1.
- Loading the Backdoor: The final DLL loaded the SlowStepper implant from the "winlogin.gif" file within "FeatureFlag.pkg". The version used in this attack was identified as version 0.2.10 Lite, which contains fewer features than other versions1.
Capabilities of SlowStepper
- Data Gathering and Surveillance: SlowStepper includes tools for gathering data and conducting clandestine surveillance, such as recording audio and videos, harvesting browser data, camera photos, files, and information from various applications (e.g., LetsVPN, Tencent QQ, WeChat, Kingsoft WPS)1.
- Command Execution: The backdoor can capture system information, execute commands via cmd.exe, enumerate the file system, download and execute files, and uninstall itself. It also features a custom shell that allows the execution of arbitrary payloads hosted remotely1.
- C&C Protocol: SlowStepper uses a multistage DNS C&C protocol to obtain IP addresses for its C&C servers. If it fails to connect to the primary servers, it uses a fallback mechanism involving the domain "st.360safe[.]company"1.
Impact and Victims
- Victims: Telemetry data showed that several users attempted to install the trojanized software in networks associated with a semiconductor company and an unidentified software development company in South Korea. Victims were also recorded in Japan and China in late 20231.
- Risk: Any individual or entity that downloaded the booby-trapped ZIP archive could have been at risk of being compromised by the SlowStepper backdoor1.
Conclusion
The PlushDaemon APT group's use of the SlowStepper backdoor in a supply chain attack on a South Korean VPN provider highlights the sophistication and threat posed by this China-aligned group. The extensive toolkit and multistage C&C protocol of SlowStepper make it a significant threat in the cybersecurity landscape.
For more detailed information, refer to the technical report by ESET and associated news coverage: