A China-linked threat actor tracked as PlushDaemon has been hijacking software update traffic with a new network implant called EdgeStepper.
According to ESET, attackers gain access to routers by exploiting known vulnerabilities or weak administrator passwords, install the Golang-based EdgeStepper ELF binary, and intercept DNS queries to redirect domains used for software updates to attacker-controlled infrastructure. The researchers provided further technical detail in a report.
When devices attempt to update, the manipulated update flow delivers a first-stage Windows downloader called LittleDaemon disguised as a DLL file, ESET said. LittleDaemon contacts the hijacking node to fetch a second-stage dropper named DaemonicLogistics, which is decrypted and executed in memory before retrieving the signature backdoor SlowStepper.
SlowStepper, previously used in other supply-chain incidents, provides capabilities to enumerate system details, perform broad file operations, run commands and deploy Python-based spyware that can exfiltrate browser data, intercept keystrokes and collect credentials, the researchers said.
ESET noted PlushDaemon has targeted individuals and organisations since 2018 across the United States, China, Taiwan, Hong Kong, South Korea and New Zealand, and has compromised electronics manufacturers, universities and a Japanese automotive manufacturing plant in Cambodia. Telemetry reviewed by ESET shows the actor has relied on malicious update flows since 2019 and the researchers observed hijacking of updates for products such as Sogou Pinyin.
The report includes technical indicators and a list of files, IP addresses and domains linked to the operation; ESET also published a set of indicators of compromise for defenders. ESET warned the adversary-in-the-middle capabilities are sufficient to compromise targets globally.