- China-aligned PlushDaemon deploys malware via compromised routers
- PlushDaemon implements LittleDaemon and DaemonLogistics on network devices
- The final payload, SlowStepper, can execute commands and deploy spyware.
ESET has discovered that China-aligned hacking group PlushDaemon is targeting routers and other network devices with malware to launch supply chain attacks.
Cybersecurity experts note that the group has been active since 2018 and has so far deployed attacks against targets in the United States, New Zealand, Cambodia, Hong Kong, Taiwan and mainland China.
The group deploys the EdgeStepper implant to network devices by exploiting software vulnerabilities or using default administrative credentials that have not been modified on the target infrastructure.
PlushDaemon attacks routers with malware
ESET researchers studied how the attack against the Sogou Pinyin software input method developed.
Once EdgeStepper has been deployed, the implant will begin to redirect incoming DNS queries related to software updates to a malicious DNS node, which then directs the software updates to a malicious IP address used for hijacking.
Instead of receiving a software update from the legitimate node, the hijacker node delivers a DLL file containing the LittleDaemon malware downloader. LittleDaemon then serves the DaemonicLogistics malware dropper that runs in memory, recovering the final step of the attack: SlowStepper.
Slowstepper can perform a variety of malicious actions, such as extracting system information, deploying Python-based spyware to log keystrokes and steal credentials, or executing files and commands. Due to the nature of PlushDaemon’s attack vector, the group has “the ability to engage targets anywhere in the world.”
For more information on indicators of compromise and technical details about the malware, see ESET’s investigation into PlushDaemon.
The best antivirus for all budgets
