A sophisticated China-aligned threat group known as PlushDaemon has been actively targeting networks globally since 2018, utilizing a specialized tool called EdgeStepper to hijack legitimate software updates. This advanced attack method allows them to redirect unsuspecting users and organizations to malicious servers, injecting malware disguised as authentic updates. The group’s operations have been detected in the United States, Taiwan, China, Hong Kong, New Zealand, and Cambodia, employing various entry points including software vulnerabilities and weak network device credentials.
The discovery of EdgeStepper by ESET security analysts followed the examination of an ELF binary file on VirusTotal, which revealed infrastructure details linked to PlushDaemon. This tool, internally codenamed dns_cheat_v2, is a critical component in the group’s persistent campaigns. It intercepts and redirects DNS queries, effectively compromising the integrity of the software update process that users rely on from trusted vendors. The scale of their operations was further evidenced by their involvement in a major supply-chain attack targeting a South Korean VPN service in 2023.
PlushDaemon’s EdgeStepper Leverages Sophisticated Update Hijacking
PlushDaemon’s attack methodology is a multi-stage process designed to bypass conventional security measures. Initial network compromise can occur through the exploitation of unpatched software vulnerabilities or the use of weak credentials on network devices like routers. Once inside the network, the EdgeStepper malware initiates its core function of intercepting Domain Name System (DNS) traffic. This interception is key to its ability to manipulate software updates.
When a user attempts to update applications, particularly those commonly used in China such as Sogou Pinyin, EdgeStepper intervenes. It redirects the user’s connection, not to the legitimate software vendor’s update server, but to an attacker-controlled server. This compromised intermediary then directs the legitimate software to download a malicious Dynamic Link Library (DLL) file instead of the intended, verified update. This technique exploits the inherent trust users place in software update mechanisms.
DNS Interception and Traffic Redirection Mechanism
The effectiveness of EdgeStepper hinges on its intricate network manipulation capabilities. Developed using the Go programming language and likely compiled for MIPS32 processors, the malware begins by accessing an encrypted configuration file named bioset.conf. The decryption process employs AES CBC encryption, utilizing a default key and initialization vector derived from the string “I Love Go Frame,” a standard element within the GoFrame library.
Upon successful decryption, the configuration file yields two crucial parameters: toPort, denoting the listening port for the malware, and host, which specifies the domain name of the malicious DNS node. EdgeStepper subsequently initiates two primary internal systems: Distributor and Ruler. The Distributor component is responsible for resolving the IP address of the malicious DNS node and managing the flow of redirected traffic. Concurrently, the Ruler system issues specific iptables commands.
These commands are designed to redirect all UDP traffic destined for port 53, the standard port for DNS queries, to EdgeStepper’s designated listening port. The precise command used is “iptables -t nat -I PREROUTING -p udp –dport 53 -j REDIRECT –to-port [value_from_toPort]”. By implementing this rule, all DNS requests originating from devices within the compromised network are forced to pass through EdgeStepper before reaching legitimate DNS servers. This establishes a complete man-in-the-middle position, enabling perfect interception and modification of update instructions directed to various software applications, thereby facilitating the deployment of malicious payloads.
The continued activity of PlushDaemon and the sophistication of tools like EdgeStepper underscore the evolving threat landscape posed by nation-state sponsored cyber activities. Organizations globally must remain vigilant in implementing robust network security measures, including regular software patching, strong credential management, and advanced threat detection systems to counter such persistent and adaptable threats. Without continuous adaptation of defensive strategies, the risk of falling victim to supply-chain attacks and malware injection through seemingly legitimate channels remains significant.