PlushDaemon: China-Aligned APT Deploys 'EdgeStepper' Network Implant for Adversary-in-the-Middle Attacks

Executive Summary

Security researchers from ESET have discovered a sophisticated toolset used by PlushDaemon, a China-aligned Advanced Persistent Threat (APT) group. The key component is a previously unknown network implant named EdgeStepper, which is designed to conduct adversary-in-the-middle (AitM) attacks at the network level. By compromising network devices, PlushDaemon uses EdgeStepper to hijack legitimate software update traffic, allowing them to covertly deploy additional malware onto target machines. The full attack chain involves other custom tools, including LittleDaemon, DaemonicLogistics, and the final Windows payload, SlowStepper. This discovery highlights the advanced capabilities of the threat group to achieve persistent, stealthy access into target environments globally.

Threat Overview

• Threat Actor: PlushDaemon, an APT group attributed to China.
• Malware Family: A modular toolset including:
  • EdgeStepper: The network implant for AitM attacks.
  • LittleDaemon & DaemonicLogistics: Deployment tools.
  • SlowStepper: The final Windows implant/payload.
• Primary Tactic: Adversary-in-the-Middle (T1657 - Financial Theft) at the network layer, specifically targeting software updates, which is a form of Supply Chain Compromise (T1195.001 - Compromise Software Supply Chain).

Technical Analysis

The attack framework employed by PlushDaemon is complex and demonstrates a high level of sophistication, focusing on compromising network infrastructure to gain a powerful strategic advantage.

1. Initial Compromise: The initial vector for compromising the network device (e.g., a router or firewall) is not specified but likely involves exploiting a known or zero-day vulnerability.
2. Implant Deployment: Once the network device is compromised, the attackers use the LittleDaemon and DaemonicLogistics tools to deploy the EdgeStepper implant onto it.
3. Network Traffic Interception: EdgeStepper functions as a traffic redirector. It monitors traffic passing through the compromised device, specifically looking for software update requests from hosts on the internal network.
4. Adversary-in-the-Middle (AitM): When a target machine requests a legitimate software update, EdgeStepper intercepts this request. Instead of allowing the connection to the real update server, it redirects the traffic to an attacker-controlled server.
5. Payload Delivery: The attacker's server delivers the malicious SlowStepper Windows implant, disguised as the legitimate software update. The user and many security tools see a valid update process, making the attack extremely stealthy.
6. Persistence and Espionage: Once SlowStepper is installed on the Windows host, it establishes persistence and provides the PlushDaemon operators with long-term access for espionage, data theft, or further malware deployment.

Impact Assessment

• High-Stealth Intrusion: By hijacking a trusted process like software updates, this attack method can bypass application whitelisting, antivirus, and user scrutiny. The initial compromise occurs on a network device, which is often less monitored than endpoints.
• Widespread Internal Compromise: From a single compromised network device, the attackers can compromise numerous machines within the network as they request updates, allowing for rapid and widespread internal proliferation.
• Persistent Access: The SlowStepper implant provides the APT group with a durable foothold inside the target network, enabling long-term intelligence gathering and data exfiltration.
• Supply Chain Risk: This technique represents a localized form of supply chain attack. While it doesn't compromise the software vendor directly, it poisons the delivery mechanism, achieving the same result from the victim's perspective.

Cyber Observables for Detection

Detecting this activity is challenging and requires deep network analysis:

Detection & Response

• Network Traffic Analysis: Deploy network security monitoring tools (like Zeek or Suricata) to inspect traffic. Look for signs of DNS hijacking or TCP session hijacking. D3FEND's D3-NTA - Network Traffic Analysis is paramount.
• SSL/TLS Inspection: Where possible, perform SSL/TLS inspection to validate certificates for software update traffic. Certificate pinning validation failures on endpoints should be investigated immediately.
• Firmware Integrity Monitoring: For critical network devices, use solutions that can monitor the integrity of the device's firmware and configuration to detect unauthorized modifications or implants like EdgeStepper.
• Endpoint Behavioral Analysis: On Windows hosts, use an EDR to monitor for suspicious behavior following a software update, such as the creation of new services or unusual network connections by the updated process.

Mitigation

1. Harden Network Devices: Secure routers, firewalls, and switches by changing default credentials, disabling unnecessary services, and applying security patches promptly. Restrict management access to a secure, isolated network segment.
2. Enforce HTTPS and Certificate Pinning: Ensure that software updates are downloaded exclusively over HTTPS. Where supported, leverage certificate pinning to ensure the client only trusts the authentic vendor's update server certificate, which would cause an AitM attack to fail. This is part of D3FEND's D3-CP - Certificate Pinning.
3. Code Signing Verification: Configure systems to only accept and install software updates that are digitally signed by the legitimate vendor. This would prevent the unsigned SlowStepper implant from being installed (M1045 - Code Signing).
4. Network Segmentation: Segmenting the network can limit the visibility and reach of a compromised network device, preventing it from intercepting traffic from all parts of the network.