PlushDaemon compromises supply chain of Korean VPN service

ESET researchers provide details on a previously undisclosed China-aligned APT group that we track as PlushDaemon and one of its cyberespionage operations: the supply-chain compromise in 2023 of VPN software developed by a South Korean company, where the attackers replaced the legitimate installer with one that also deployed the group’s signature implant that we have named SlowStepper – a feature-rich backdoor with a toolkit of more than 30 components.

Key points of this blogpost:

• PlushDaemon is a China-aligned threat group, engaged in cyberespionage operations.
• PlushDaemon’s main initial access vector is hijacking legitimate updates of Chinese applications, but we have also uncovered a supply-chain attack against a South Korean VPN developer.
• We believe PlushDaemon is the exclusive user of several implants, including SlowStepper for Windows.
• SlowStepper has a large toolkit composed of around 30 modules, programmed in C++, Python, and Go.

Overview

In May 2024, we noticed detections of malicious code in an NSIS installer for Windows that users from South Korea had downloaded from the website of the legitimate VPN software IPany (https://ipany.kr/; see Figure 1), which is developed by a South Korean company. Upon further analysis, we discovered that the installer was deploying both the legitimate software and the backdoor that we’ve named SlowStepper. We contacted the VPN software developer to inform them of the compromise, and the malicious installer was removed from their website.

We attribute this operation to PlushDaemon – a China-aligned threat actor active since at least 2019, engaging in espionage operations against individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand. PlushDaemon uses a custom backdoor that we track as SlowStepper, and its main initial access technique is to hijack legitimate updates by redirecting traffic to attacker-controlled servers. Additionally, we have observed the group gaining access via vulnerabilities in legitimate web servers.

The victims appear to have manually downloaded a ZIP archive containing a malicious NSIS installer from the URL https://ipany[.]kr/download/IPanyVPNsetup.zip. We found no suspicious code on the download page (shown in Figure 1) to produce targeted downloads, for example by geofencing to specific targeted regions or IP ranges; therefore, we believe that anyone using the IPany VPN might have been a valid target.

Via ESET telemetry, we found that several users attempted to install the trojanized software in the network of a semiconductor company and an unidentified software development company in South Korea. The two oldest cases registered in our telemetry were a victim from Japan in November 2023, and a victim from China in December 2023.

Technical analysis

As illustrated in Figure 2, when the malicious IPanyVPNsetup.exe installer is executed, it creates several directories and deploys both legitimate and malicious files.

Additionally, the installer establishes persistence for SlowStepper by adding an entry named IPanyVPN to a Run key, with the value %PUBLIC%\Documents\WPSDocuments\WPSManager\svcghost.exe, so that the malicious component svcghost.exe (later extracted and deployed by the loader in EncMgr.pkg) is launched when the operating system starts.

The first malicious component that is loaded by the installer is the AutoMsg.dll loader. Figure 3 illustrates the major steps taken during the execution of this component.

When IPanyVPNSetup.exe calls ExitProcess, the patched bytes redirect execution to the shellcode that loads EncMgr.pkg into memory and executes it.

EncMgr.pkg creates two directories – WPSDocuments and WPSManager – in %PUBLIC%\Documents and the deployment begins by extracting components from the custom archives NetNative.pkg and FeatureFlag.pkg. The components are dropped to disk and moved to other locations with new filenames. The sequence and actions taken are as follows:

1. Extracts the files from NetNative.pkg to:

a. %PUBLIC%\Documents\WPSDocuments\WPSManager\assist.dll,

b. %PUBLIC%\Documents\WPSDocuments\WPSManager\msvcr100.dll,

c. %PUBLIC%\Documents\WPSDocuments\WPSManager\PerfWatson.exe, and

d. %PUBLIC%\Documents\WPSDocuments\WPSManager\svcghost.exe.

2. Deletes NetNative.pkg.

3. Moves FeatureFlag.pkg to C:\ProgramData\Microsoft Shared\Filters\SystemInfo\winlogin.gif.

4. Moves assist.dll to C:\ProgramData\Microsoft Shared\Filters\SystemInfo\Winse.gif.

5. Extracts file from Winse.gif to %PUBLIC%\Documents\WPSDocuments\WPSManager\lregdll.dll.

6. Copies data from BootstrapCache.pkg to %PUBLIC%\Documents\WPSDocuments\WPSManager\Qmea.dat.

Its last actions are to execute svcghost.exe using the ShellExecute API and then exit.

The svcghost.exe component performs monitoring of the PerfWatson.exe process, where the backdoor is loaded, ensuring that it is always running. If the processes are not running, it executes PerfWatson.exe (originally a legitimate command line utility named regcap.exe, included in Visual Studio), which the attackers abuse to side-load lregdll.dll. The DLL’s goal is to load the SlowStepper backdoor from the winlogin.gif file.

On a new thread, it creates a nameless window that ignores all messages except WM_CLOSE, WM_QUERYENDSESSION, and WM_ENDSESSION. When any of these three messages is received, the thread attempts to establish persistence in the Windows registry, depending on the permissions of the current process; see Table 1.

Table 1. Registry keys targeted for persistence

The SlowStepper backdoor

SlowStepper is a backdoor developed in C++ with extensive use of object-oriented programming in the C&C communications code. Although the code contains hundreds of functions, the particular variant used in the supply-chain compromise of the IPany VPN software appears to be version 0.2.10 Lite, according to the backdoor’s code. The so-called “Lite” version indeed contains fewer features than other previous and newer versions.

The oldest version of the SlowStepper backdoor that we know of is 0.1.7, compiled on 2019-01-31 according to its PE timestamps; the newest one is 0.2.12, compiled on 2024-06-13, and is the full version of the backdoor.

Both the full and Lite versions make use of an array of tools programmed in Python and Go, which include capabilities for extensive collection of data, and spying through recording of audio and videos. The tools were stored in a remote code repository hosted on the Chinese platform GitCode, under the LetMeGo22 account; at the time of writing, the profile was private (Figure 4).

C&C communications

SlowStepper does not carry the C&C IP address in its configuration; instead, it crafts a DNS query to obtain a TXT record for the domain 7051.gsm.360safe[.]company. The query is sent to one of three legitimate, public DNS servers:

• 8.8.8.8 – Google Public DNS,
• 114.114.114.114 – 114dns.com, or
• 223.5.5.5 – Alibaba Public DNS.

We obtained four such records associated with that domain:

• &%QT%#/zZDmb4ATTVIxwHXPLGrj0FAOV7q+P/sMG109ooj5YLnVZBs3R/eZcuQximtgLkf
• &%QT%#/zZDmb4ATTVIxwHXPLGrj0FAOV7q+P/sMG109ooj5YKQs3XiHSjM3f+h9ok9XfQ1AjoX+C4UXZsDLVqCDhvxyw==
• &%QT%#aT1sAjOFTcwzQ7hwc0iyfygP/ooo8pkIRyaNKWcqBz+QRGYBV/2v8HrVg28+aZXhfXvgDxS1vXAuhdcN2dEKxw==
• &%QT%#aT1sAjOFTcwzQ7hwc0iyfySJBEDM0z6na7BiogG0hDJqdKlUqkrb9ppOjg8epeQ6I6cUXWLKyZGZCkJwFyKD4Q==

The format of the data in the query is shown in Figure 5. The code checks whether the first six bytes of the TXT record match &%QT%# and if so, it extracts the rest of the string, which is a base64-encoded AES-encrypted blob containing an array of 10 IP addresses to be used as C&C servers. The key used for decryption is sQi9&*2Uhy3Fg7se and the IV is Qhsy&7y@bsG9st#g.

When parsing the decrypted data, the code can extract at least four data identifiers, described in Table 2.

Table 2. Data types processed by the backdoor’s code

One of the IP addresses is chosen and SlowStepper connects to the C&C server via TCP to begin its communication protocol. If, after a number of attempts, it fails to establish a connection to the server, it uses the gethostbyname API on the domain st.360safe[.]company to obtain the IP address mapped to that domain and uses the obtained IP as its fallback C&C server.

Once communication is established, SlowStepper can process the commands listed in Table 3.

Table 3. Basic commands supported by SlowStepper

SlowStepper has a rather unusual feature: the developers implemented a custom shell, or command line interface, on top of its communication protocol. While the backdoor accepts and handles commands in the traditional way, the 0x3A command activates the interpretation of operator-written commands (Table 4).

Table 4. Commands supported in shell mode

Execution of tools via SlowStepper’s pycall shell command

Figure 6 illustrates the execution chain, starting when the operator issues a pycall command to request the execution of a Python module on the compromised machine; here, as an example, the module CollectInfo.

From the remote repository, the pycall command downloads a ZIP archive that contains the Python interpreter and its supporting libraries. One of three possible customized distributions is downloaded, as outlined in Table 5.

Table 5. List of customized Python distributions and the conditions under which they are downloaded

Figure 7 shows the directory structure of the decompressed archive containing the Python distribution, listing only the malicious files that are included within.

SlowStepper runs the Python interpreter using the following command line:

%PUBLIC%\Documents\WPSDocuments\WPSManager\Python\Pythonw.exe -m runas <module_name>

The module named runas is a custom Python script (Figure 8) that loads another custom Python module named help from which it uses the function named run to decrypt the module and execute it.

Table 6 lists the modules that we recovered from the remote repository during the time it was available.

Table 6. List of Python modules and their purpose

In addition to the Python toolkit, we found, stored in the remote code repository other tools (Table 7) that are not encrypted; some of these were programmed in C/C++ and others in Go, as noted below.

Table 7. Tools and their function

Conclusion

In this blogpost, we have analyzed a supply-chain attack against a Korean VPN provider, targeting users in East Asia, as evident through the specific software targeted for information collection and confirmed via ESET telemetry. We also documented the SlowStepper backdoor, used exclusively by PlushDaemon. This backdoor is notable for its multistage C&C protocol using DNS, and its ability to download and execute dozens of additional Python modules with espionage capabilities.

The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.

IoCs

A comprehensive list of indicators of compromise and samples can be found in our GitHub repository.

Files

Network

MITRE ATT&CK techniques

This table was built using version 16 of the MITRE ATT&CK framework.