Advanced Persistent Threat Group Linked to South Korean VPN Attack

A previously undocumented China-aligned advanced persistent threat (APT) group, named PlushDaemon, has been linked to a supply chain attack targeting a South Korean virtual private network (VPN) provider in 2023, according to new findings from ESET.

The Attack

The attackers replaced the legitimate installer with one that also deployed the group’s signature implant, named SlowStepper – a feature-rich backdoor with a toolkit of more than 30 components, as stated by ESET researcher Facundo Muñoz in a technical report shared with The Hacker News.

Background on PlushDaemon

PlushDaemon is assessed to be a China-nexus group that has been operational since at least 2019, targeting individuals and entities in China, Taiwan, Hong Kong, South Korea, the United States, and New Zealand.

SlowStepper: A Key Component of PlushDaemon

Central to its operations is a bespoke backdoor called SlowStepper, which is designed to provide a range of functionalities, including:

• getOperaCookie, which obtains cookies from the Opera browser
• Location, which obtains the IP address of the computer and the GPS coordinates
• qpass, which harvests data from Tencent QQ Browser (likely replaced by the qqpass module)
• qqpass and Webpass, which harvests passwords from Google Chrome, Mozilla Firefox, Tencent QQ Browser, 360 Chrome, and UC Browser
• ScreenRecord, which records the screen
• Telegram, which harvests data from Telegram
• WeChat, which harvests data from WeChat
• WirelessKey, which harvests wireless network information and passwords

Additional Findings

ESET also identified in the remote code repository several software programs written in Golang that offer reverse proxy and download functionalities.

Conclusion

The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for.

Stay Informed

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.