China-aligned threat actor is conducting widespread cyberespionage campaigns
A China-linked threat group which uses software updates to reroute traffic to malicious infrastructure has been mounting cyberespionage campaigns targeting victims in the U.S., Taiwan and elsewhere, according to new research.
The threat group PlushDaemon uses routers and other network device implants to redirect domain name system (DNS) queries to malicious external servers which take over updates to unleash tools used for cyberespionage, researchers at ESET revealed Wednesday.
The network implant, which ESET has dubbed EdgeStepper, sends traffic from infrastructure used for software updates to infrastructure controlled by attackers. The attackers then unleash the downloaders LittleDaemon and DaemonLogistics in the targeted devices. The downloaders deploy a backdoor toolkit which enables cyberespionage.
The attacks have been underway since 2019 with a Beijing university, a Taiwanese electronics manufacturer, a company in the automotive sector and a Japanese manufacturer among the targets, the researchers said in a blog post.
Attackers have used several popular Chinese software products to deploy the attacks, the researchers said.
PlushDaemon likely exploits software vulnerabilities or uses weak default administrative credentials to deploy EdgeStepper, the researchers said.
“EdgeStepper begins redirecting DNS queries to a malicious DNS node that verifies whether the domain in the DNS query message is related to software updates, and if so, it replies with the IP address of the hijacking node,” ESET researcher Facundo Muñoz said in a statement.
PlushDaemon has been active since at least 2018 and has historically conducted cyberespionage campaigns against individuals and entities located in the U.S. and the East Asia-Pacific, the researchers said.
In January, ESET revealed that PlushDaemon had been targeting users in East Asia by compromising a virtual private network (VPN) installer made by the South Korean company IPany to infect devices with malware.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.