Summary:
PlushDaemon, a newly identified China-aligned advanced persistent threat (APT) group, has been linked to a supply chain attack targeting a South Korean VPN provider in 2023, as revealed by ESET. The attackers replaced a legitimate installer on the provider’s website with a compromised version that not only installed the VPN software but also deployed the group’s sophisticated backdoor, SlowStepper. Active since at least 2019, SlowStepper is a modular toolkit with over 30 components written in C++, Python, and Go, enabling espionage, data theft, and system exploitation. The attack chain began with the execution of a tampered installer, which established persistence on the host system and launched a series of modules to sideload the malware payload. SlowStepper, embedded in a disguised file named winlogin.gif, provides extensive capabilities, including harvesting data from browsers, messaging apps, and files, as well as enabling surveillance through screen recording and camera access.

The backdoor also supports remote execution of Python modules and deployment of additional payloads hosted on GitCode, a Chinese code repository. It employs a sophisticated command-and-control (C&C) protocol using DNS queries to communicate with its servers, with fallback mechanisms ensuring reliability.


Security Officer Comments:
Targets of the attack included networks associated with a semiconductor company and a software development firm in South Korea, with earlier infections detected in Japan and China. PlushDaemon’s operation underscores its ability to exploit legitimate software update channels and vulnerabilities, making it a significant espionage threat. ESET’s analysis highlights the group’s dedication to developing SlowStepper, a backdoor that has evolved over the years, reflecting its focus on long-term intelligence collection and operational effectiveness.


Suggested Corrections:
Organizations can make APT groups’ lives more difficult. Here’s how:

• Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.
• Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.
• Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.
• Incident response and recovery: Despite preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.

Link(s):
https://www.helpnetsecurity.com/2025/01/22/plushdaemon-apt-slowstepper-supply-chain-compromise/

https://www.welivesecurity.com/en/e...-compromises-supply-chain-korean-vpn-service/