- China-aligned PlushDaemon deploys malware via compromised routers
- PlushDaemon deploys LittleDaemon and DaemonLogistics on network devices
- The final payload, SlowStepper, can execute commands and deploy spyware
Chinese hacking group PlushDaemon has been spotted by ESET targeting routers and other network devices with malware to launch supply chain attacks.
Cybersecurity experts note that the group has been active since 2018 and has so far deployed attacks against targets in the United States, New Zealand, Cambodia, Hong Kong, Taiwan and mainland China.
The group deploys the EdgeStepper implant on network devices by exploiting software vulnerabilities or using default administrative credentials that have not been changed on the targeted infrastructure.
PlushDaemon hits routers with malware
ESET researchers studied how the attack against the Sogou Pinyin software input method unfolded.
Once EdgeStepper is deployed, the implant will begin redirecting incoming DNS queries related to software updates to a malicious DNS node, which will then direct software updates to a malicious IP address used for hacking.
Rather than receiving a software update from the legitimate node, a DLL file containing the LittleDaemon malware downloader is served from the hijacked node. LittleDaemon then serves the DaemonicLogistics malware dropper which is executed in memory, catching the last step of the attack: SlowStepper.
Slowstepper can perform a series of malicious actions, such as extracting system information, deploying Python-based spyware to record keystrokes and steal credentials, or executing files and executing commands. Due to the nature of PlushDaemon’s attack vector, the group has “the ability to compromise targets anywhere in the world.”
For more information on indicators of compromise and technical details about the malware, take a look at ESET’s search on PlushDaemon.
The best antivirus for every budget
