2 months ago
ARTICLE AD BOX
ESET researchers supply specifications connected a antecedently undisclosed China-aligned APT group that we way arsenic PlushDaemon and 1 of its cyberespionage operations: nan supply-chain discuss successful 2023 of VPN package developed by a South Korean company, wherever nan attackers replaced nan morganatic installer pinch 1 that besides deployed nan group’s signature implant that we person named SlowStepper – a feature-rich backdoor pinch a toolkit of much than 30 components.
Key points of this blogpost:
- PlushDaemon is simply a China-aligned threat group, engaged successful cyberespionage operations.
- PlushDaemon’s main first entree vector is hijacking morganatic updates of Chinese applications, but we person besides uncovered a supply-chain onslaught against a South Korean VPN developer.
- We judge PlushDaemon is nan exclusive personification of respective implants, including SlowStepper for Windows.
- SlowStepper has a ample toolkit composed of astir 30 modules, programmed successful C++, Python, and Go.
Overview
In May 2024, we noticed detections of malicious codification successful an NSIS installer for Windows that users from South Korea had downloaded from nan website of nan morganatic VPN package IPany (https://ipany.kr/; spot Figure 1), which is developed by a South Korean company. Upon further analysis, we discovered that nan installer was deploying some nan morganatic package and nan backdoor that we’ve named SlowStepper. We contacted nan VPN package developer to pass them of nan compromise, and nan malicious installer was removed from their website.
We property this cognition to PlushDaemon – a China-aligned threat character progressive since astatine slightest 2019, engaging successful espionage operations against individuals and entities successful China, Taiwan, Hong Kong, South Korea, nan United States, and New Zealand. PlushDaemon uses a civilization backdoor that we way arsenic SlowStepper, and its main first entree method is to hijack morganatic updates by redirecting postulation to attacker-controlled servers. Additionally, we person observed nan group gaining entree via vulnerabilities successful morganatic web servers.
Figure 1. Page astatine IPany website from which nan malicious installer could beryllium downloaded
The victims look to person manually downloaded a ZIP archive containing a malicious NSIS installer from nan URL https://ipany[.]kr/download/IPanyVPNsetup.zip. We recovered nary suspicious codification connected nan download page (shown successful Figure 1) to nutrient targeted downloads, for illustration by geofencing to circumstantial targeted regions aliases IP ranges; therefore, we judge that anyone utilizing nan IPany VPN mightiness person been a valid target.
Via ESET telemetry, we recovered that respective users attempted to instal nan trojanized package successful nan web of a semiconductor institution and an unidentified package improvement institution successful South Korea. The 2 oldest cases registered successful our telemetry were a unfortunate from Japan successful November 2023, and a unfortunate from China successful December 2023.
Technical analysis
As illustrated successful Figure 2, erstwhile nan malicious IPanyVPNsetup.exe installer is executed, it creates respective directories and deploys some morganatic and malicious files.
Figure 2. Deployment of some morganatic and malicious files
Additionally, nan installer establishes persistence for SlowStepper by adding an introduction named IPanyVPN to a Run key, pinch nan worth %PUBLIC%\Documents\WPSDocuments\WPSManager\svcghost.exe, truthful that nan malicious constituent svcghost.exe (later extracted and deployed by nan loader successful EncMgr.pkg) is launched erstwhile nan operating strategy starts.
The first malicious constituent that is loaded by nan installer is nan AutoMsg.dll loader. Figure 3 illustrates nan awesome steps taken during nan execution of this component.
Figure 3. Loading concatenation initiated when IPanyVPNSetup.exe loads AutoMsg.dll
When IPanyVPNSetup.exe calls ExitProcess, nan patched bytes redirect execution to nan shellcode that loads EncMgr.pkg into representation and executes it.
EncMgr.pkg creates 2 directories – WPSDocuments and WPSManager – successful %PUBLIC%\Documents and nan deployment originates by extracting components from nan civilization archives NetNative.pkg and FeatureFlag.pkg. The components are dropped to disk and moved to different locations pinch caller filenames. The series and actions taken are arsenic follows:
1. Extracts nan files from NetNative.pkg to:
a. %PUBLIC%\Documents\WPSDocuments\WPSManager\assist.dll,
b. %PUBLIC%\Documents\WPSDocuments\WPSManager\msvcr100.dll,
c. %PUBLIC%\Documents\WPSDocuments\WPSManager\PerfWatson.exe, and
d. %PUBLIC%\Documents\WPSDocuments\WPSManager\svcghost.exe.
2. Deletes NetNative.pkg.
3. Moves FeatureFlag.pkg to C:\ProgramData\Microsoft Shared\Filters\SystemInfo\winlogin.gif.
4. Moves assist.dll to C:\ProgramData\Microsoft Shared\Filters\SystemInfo\Winse.gif.
5. Extracts record from Winse.gif to %PUBLIC%\Documents\WPSDocuments\WPSManager\lregdll.dll.
6. Copies information from BootstrapCache.pkg to %PUBLIC%\Documents\WPSDocuments\WPSManager\Qmea.dat.
Its past actions are to execute svcghost.exe utilizing nan ShellExecute API and past exit.
The svcghost.exe constituent performs monitoring of nan PerfWatson.exe process, wherever nan backdoor is loaded, ensuring that it is ever running. If nan processes are not running, it executes PerfWatson.exe (originally a morganatic bid statement inferior named regcap.exe, included successful Visual Studio), which nan attackers maltreatment to side-load lregdll.dll. The DLL’s extremity is to load nan SlowStepper backdoor from nan winlogin.gif file.
On a caller thread, it creates a nameless model that ignores each messages isolated from WM_CLOSE, WM_QUERYENDSESSION, and WM_ENDSESSION. When immoderate of these 3 messages is received, nan thread attempts to found persistence successful nan Windows registry, depending connected nan permissions of nan existent process; spot Table 1.
Table 1. Registry keys targeted for persistence
| Requires | Registry key | Entry | Value |
| Administrator | HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon | Userinit | Current way of svcghost.exe. |
| User | HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows | load |
The SlowStepper backdoor
SlowStepper is simply a backdoor developed successful C++ pinch extended usage of object-oriented programming successful nan C&C communications code. Although nan codification contains hundreds of functions, nan peculiar version utilized successful nan supply-chain discuss of nan IPany VPN package appears to beryllium type 0.2.10 Lite, according to nan backdoor’s code. The alleged “Lite” type so contains less features than different erstwhile and newer versions.
The oldest type of nan SlowStepper backdoor that we cognize of is 0.1.7, compiled connected 2019-01-31 according to its PE timestamps; nan newest 1 is 0.2.12, compiled connected 2024-06-13, and is nan afloat type of nan backdoor.
Both nan afloat and Lite versions make usage of an array of devices programmed successful Python and Go, which see capabilities for extended postulation of data, and spying done signaling of audio and videos. The devices were stored successful a distant codification repository hosted connected nan Chinese level GitCode, nether nan LetMeGo22 account; astatine nan clip of writing, nan floor plan was backstage (Figure 4).
Figure 4. LetMeGo22 relationship astatine GitCode
C&C communications
SlowStepper does not transportation nan C&C IP reside successful its configuration; instead, it crafts a DNS query to get a TXT record for nan domain 7051.gsm.360safe[.]company. The query is sent to 1 of 3 legitimate, nationalist DNS servers:
- 8.8.8.8 – Google Public DNS,
- 114.114.114.114 – 114dns.com, or
- 223.5.5.5 – Alibaba Public DNS.
We obtained 4 specified records associated pinch that domain:
- &%QT%#/zZDmb4ATTVIxwHXPLGrj0FAOV7q+P/sMG109ooj5YLnVZBs3R/eZcuQximtgLkf
- &%QT%#/zZDmb4ATTVIxwHXPLGrj0FAOV7q+P/sMG109ooj5YKQs3XiHSjM3f+h9ok9XfQ1AjoX+C4UXZsDLVqCDhvxyw==
- &%QT%#aT1sAjOFTcwzQ7hwc0iyfygP/ooo8pkIRyaNKWcqBz+QRGYBV/2v8HrVg28+aZXhfXvgDxS1vXAuhdcN2dEKxw==
- &%QT%#aT1sAjOFTcwzQ7hwc0iyfySJBEDM0z6na7BiogG0hDJqdKlUqkrb9ppOjg8epeQ6I6cUXWLKyZGZCkJwFyKD4Q==
The format of nan information successful nan query is shown successful Figure 5. The codification checks whether nan first six bytes of nan TXT grounds lucifer &%QT%# and if so, it extracts nan remainder of nan string, which is simply a base64-encoded AES-encrypted blob containing an array of 10 IP addresses to beryllium utilized arsenic C&C servers. The cardinal utilized for decryption is sQi9&*2Uhy3Fg7se and nan IV is Qhsy&7y@bsG9st#g.
Figure 5. DNS TXT grounds obtained of malicious domains
When parsing nan decrypted data, nan codification tin extract astatine slightest 4 information identifiers, described successful Table 2.
Table 2. Data types processed by nan backdoor’s code
| Data identifier | Size of data | Description |
| 0x04 | 4 | Data is an IP address. |
| 0x05 | 6 | Data is an IP reside and larboard number. |
| 0x06 | 16 | Skips nan adjacent 16 bytes of data. We fishy that, fixed nan size of nan data, it’s imaginable that it is an IPv6 address. |
| 0x00–0x03 0x07–0xFF |
Data identifier worth is nan worth of nan information size. | Skips nan adjacent (unknown) bytes of data. |
One of nan IP addresses is chosen and SlowStepper connects to nan C&C server via TCP to statesman its connection protocol. If, aft a number of attempts, it fails to found a relationship to nan server, it uses nan gethostbyname API connected nan domain st.360safe[.]company to get nan IP reside mapped to that domain and uses nan obtained IP arsenic its fallback C&C server.
Once connection is established, SlowStepper tin process nan commands listed successful Table 3.
Table 3. Basic commands supported by SlowStepper
| Command ID | Action performed |
| 0x32 | Collects nan pursuing accusation from nan compromised instrumentality and sends it to nan server: · marque of nan CPU, utilizing nan CPUID instruction, · HDDs connected to nan machine and their serial numbers, · machine name, · section big name, · nationalist IP address, by querying aggregate services, · database of moving processes, · database of installed applications, · web interface information, · further accusation astir nan computer’s drives, specified arsenic measurement sanction and free space, · strategy memory, · existent username, · persistence type used, · whether cameras are connected, · whether microphones are connected, · whether nan operating strategy is moving arsenic a virtual machine, · strategy uptime, · HTTP proxy configuration, and · whether queries to nan DNS server astatine 114.114.114.114:53 to resoluteness nan addresses of 2 morganatic domains, cf.duba.net (Kingston) and f.360.cn (360 Qihoo), grounded aliases succeeded. It is unclear to america what nan intent of this accusation is. |
| 0x38 | Executes a Python module from its toolkit; nan output and immoderate files created by nan module are sent to nan server. The process is very akin to what is utilized successful nan ammunition mode. |
| 0x39 | Deletes nan specified file. |
| 0x3A | This bid tin process different commands sent by nan usability successful SlowStepper’s ammunition mode, which we explicate successful much item below. Alternatively, it tin also: · Run a bid via cmd.exe and nonstop nan output backmost to nan server. · Run a bid via cmd.exe without sending nan output to nan server. |
| 0x3C | Uninstalls SlowStepper by removing its persistence system and removing its files. |
| 0x3F | Lists files successful nan specified directory, and lists drives. |
| 0x5A | Downloads and executes nan specified file. |
SlowStepper has a alternatively different feature: nan developers implemented a civilization shell, aliases bid statement interface, connected apical of its connection protocol. While nan backdoor accepts and handles commands successful nan accepted way, nan 0x3A bid activates nan mentation of operator-written commands (Table 4).
Table 4. Commands supported successful ammunition mode
| Command | Parameters | Description |
| cd | Path to a directory. | Checks whether a directory exists. |
| gcall | Module name and different chartless parameter(s). | This usability tin execute 2 tasks: · Download a module from nan distant codification repository and execute it. The module is expected to beryllium a console application. · Send a record from nan compromised instrumentality to nan operator. |
| pycall | Tool sanction to beryllium executed. | This bid is explained successful item successful nan Execution of devices via SlowStepper’s pycall ammunition command section. |
| restart | self | Restarts SlowStepper by rerunning nan big process and calling nan ExitProcess API. Returns nan connection The mode of NSP doesn't support restart self. erstwhile SlowStepper is moving successful a process via a persistence method that abuses Winsock namespace providers; however, it is not included successful this version of SlowStepper. |
| update | N/A | Downloads a module from nan distant codification repository, replacing a erstwhile existing version. |
| gconfig | show | Displays nan worth of ServerIP (the C&C IP address). |
| set | Changes nan worth of ServerIP. The console suggests nan pursuing to nan operator: If you want make nan Configuration effective immediately, please bid “gconfig reload”. |
|
| reload | Reloads nan configuration. | |
| getname | Returns nan sanction of nan existent process successful which SlowStepper is running. | |
| getdll | Returns nan sanction of nan SlowStepper DLL successful nan existent process. | |
| getpid | Returns nan process ID of nan existent process successful which SlowStepper is running. | |
| getsid | Returns nan Remote Desktop Services convention ID of nan existent process. This suggests that SlowStepper mightiness besides beryllium intended to discuss machines moving Windows Server. | |
| getpwd | Downloads getcode.mod from nan distant codification repository and executes it utilizing rundll32.exe. The module generates a file, named psf.bin, that contains nan collected data. | |
| gcmd | query | Creates a complete study of accusation astir nan specified record aliases directory. |
| delete | Deletes nan specified file, directory, aliases each files successful a directory. | |
| set | Sets configuration parameters. | |
| terminate | Terminates nan specified process. | |
| cancel | Creates a record pinch nan .delete extension. |
Execution of devices via SlowStepper’s pycall ammunition command
Figure 6 illustrates nan execution chain, starting erstwhile nan usability issues a pycall bid to petition nan execution of a Python module connected nan compromised machine; here, arsenic an example, nan module CollectInfo.
Figure 6. Execution travel of nan pycall command
From nan distant repository, nan pycall bid downloads a ZIP archive that contains nan Python expert and its supporting libraries. One of 3 imaginable customized distributions is downloaded, arsenic outlined successful Table 5.
Table 5. List of customized Python distributions and nan conditions nether which they are downloaded
| Condition | Archive name | Description |
| Windows operating strategy is XP. | winxppy.org | Python 3.4 |
| All required Windows API group (stub) DLLs and nan Microsoft C runtime are present. | winpy_no_rundll.org | Python 3.7 |
| Neither of nan preceding conditions are met. | win7py.org | Python 3.7; includes Windows API group (stub) DLLs and nan Microsoft C runtime library. |
Figure 7 shows nan directory building of nan decompressed archive containing nan Python distribution, listing only nan malicious files that are included within.
Figure 7. Directory building of nan customized Python distribution and malicious files
SlowStepper runs nan Python expert utilizing nan pursuing bid line:
%PUBLIC%\Documents\WPSDocuments\WPSManager\Python\Pythonw.exe -m runas <module_name>
The module named runas is simply a civilization Python book (Figure 8) that loads different civilization Python module named help from which it uses nan usability named run to decrypt nan module and execute it.
Figure 8. Code of runas.py
Table 6 lists nan modules that we recovered from nan distant repository during nan clip it was available.
Table 6. List of Python modules and their purpose
| Filename connected disk | Original module name | Purpose |
| 900150983cd24fb0d6963f7d28e17f72 | abc | Test module that prints hello world. |
| ef15fd2f45e6bb5ce57587895ba64f93 | Browser | Collects a wide scope of information from web browsers: Google Chrome, Microsoft Edge, Opera, Brave, Vivaldi, Cốc Cốc browser, UC Browser, 360 Browser, and Mozilla Firefox. |
| 967d35e40f3f95b1f538bd248640bf3b | Camera | If nan machine has a camera connected, it takes photos. |
| a7ba857c30749bf4ad76c93de945f41b | CollectInfo | Scans nan disk for files pinch extensions .txt, .doc, .docx, .xls, .xlsx, .ppt, and .pptx. Collects accusation from respective package titles, including: LetsVPN, Tencent QQ, WeChat, Kingsoft WPS, e2eSoft VCam, KuGou, Oray Sunlogin, and ToDesk. |
| 6002396e8a3e3aa796237f6469eb84f8 | Decode | Downloads a module from nan distant repository and decrypts it. |
| 9348a97af6e8a2f482d5dbee402c8c6f | DingTalk | Collects a wide scope of information from DingTalk (a firm guidance instrumentality developed successful China), including chat messages, audio, video, interaction information, and groups nan personification has joined. |
| 801ab24683a4a8c433c6eb40c48bcd9d | Download | Downloads (non-malicious) Python packages. |
| 16654b501ac48e4675c9eb0cf2b018f6 | FileScanner | Scans nan disk for files, utilizing nan aforesaid codification arsenic CollectInfo. |
| 7d3b40764db47a45e9bc3f1169a47fe2 | FileScannerAllDisk | |
| 3582f6ebaf9b612940011f98b110b315 | getOperaCookie | Gets cookies from nan Opera browser. |
| 10ae9fc7d453b0dd525d0edf2ede7961 | list | Lists modules pinch a .py extension. |
| ce5bf551379459c1c61d2a204061c455 | Location | Obtains nan IP reside of nan machine and nan GPS coordinates, utilizing online services. |
| 68e36962b09c99d6675d6267e81909ad | Location1 | |
| 5e0a529f8acc19b42e45d97423df2eb4 | LocationByIP | |
| c84fcb037b480bd25ff9aaaebce5367e | PackDir | Creates a ZIP archive of nan specified file. |
| 4518dc0ae0ff517b428cda94280019fa | qpass | This book appears to beryllium unfinished. It obtains and decrypts passwords from Tencent QQ Browser. Probably replaced by nan qqpass module. |
| 5fbf04644f45bb2be1afffe43f5fbb57 | qqpass | Obtains and decrypts passwords from Google Chrome, Mozilla Firefox, Tencent QQ Browser, 360 Chrome, and UC Browser. |
| 874f5aaef6ec4af83c250ccc212d33dd | ScreenRecord | Records nan screen, redeeming nan consequence arsenic an AVI record wrong a ZIP archive. |
| c915683f3ec888b8edcc7b06bd1428ec | Telegram | Collects relationship accusation from nan Telegram desktop application. |
| 104be797a980bcbd1fa97eeacfd7f161 | Webpass | Similar to nan qqpass module. |
| e5b152ed6b4609e94678665e9a972cbc | One of nan largest modules, it collects a wide scope of information from WeChat. | |
| 6d07a4ebf4dff8e5d4fdb61f1844cc12 | Wechat_all_file | Collects information from WeChat. |
| 17cf4a6dd339a1312959fd344fe92308 | Wechat_src | |
| 8326cef49f458c94817a853674422379 | Wechat1 | Similar to WeChat. |
| 427f01be70f46f02ef0d18fcbbfaf01d | WechatFile | |
| 72704d83b916fa1f7004e0fdef4b77ae | WirelessKey | Collects wireless web accusation and passwords, and output from nan ipconfig /all command. |
In summation to nan Python toolkit, we found, stored successful nan distant codification repository different devices (Table 7) that are not encrypted; immoderate of these were programmed successful C/C++ and others successful Go, arsenic noted below.
Table 7. Tools and their function
| Tool filename | Description |
| agent.mod | Reverse proxy programmed successful Go. |
|
getcode.mod getcode64.mod |
Mimikatz. This instrumentality is simply a DLL downloaded by nan getpwd command. |
| InitPython.mod | Old downloader to instal nan customized Python distribution connected nan compromised machine. This instrumentality is simply a DLL. |
| Remote.mod | RealVNC server that allows nan attackers to remotely power nan compromised machine. This instrumentality is simply a DLL. |
| soc.mod |
Reverse proxy programmed successful Go. Signed pinch a certificate from a Chinese institution called Hangzhou Fuyang Qisheng Information Technology Service Department. We were incapable to find immoderate accusation astir nan company. |
| stoll.mod |
Tool utilized to execute downloads, written successful Go. Signed pinch a certificate from nan Chinese institution Zhoushan Xiaowen Software Development Studio. We were incapable to find immoderate accusation astir nan company. |
Conclusion
In this blogpost, we person analyzed a supply-chain onslaught against a Korean VPN provider, targeting users successful East Asia, arsenic evident done nan circumstantial package targeted for accusation postulation and confirmed via ESET telemetry. We besides documented nan SlowStepper backdoor, utilized exclusively by PlushDaemon. This backdoor is notable for its multistage C&C protocol utilizing DNS, and its expertise to download and execute dozens of further Python modules pinch espionage capabilities.
The galore components successful nan PlushDaemon toolset, and its rich | type history, show that, while antecedently unknown, this China-aligned APT group has been operating diligently to create a wide array of tools, making it a important threat to watch for.
For immoderate inquiries astir our investigation published connected WeLiveSecurity, please interaction america astatine threatintel@eset.com.
ESET Research offers backstage APT intelligence reports and information feeds. For immoderate inquiries astir this service, sojourn nan ESET Threat Intelligence page.
IoCs
A broad database of indicators of discuss and samples tin beryllium recovered successful our GitHub repository.
Files
| SHA-1 | Filename | Detection | Description |
| A8AE42884A8EDFA17E9D67AE5BEBE7D196C3A7BF | AutoMsg.dll | Win32/ShellcodeRunner.GZ | Initial loader DLL. |
| 2DB60F0ADEF14F4AB3573F8309E6FB135F67ED7D | lregdll.dll | Win32/Agent.AGUU | Loader DLL for nan SlowStepper backdoor. |
| 846C025F696DA1F6808B9101757C005109F3CF3D | OldLJM.dll | Win32/Agent.AGXL | Installer DLL, internally named OldLJM.dll. It is extracted from EncMgr.pkg and executed successful memory. |
| AD4F0428FC9290791D550EEDDF171AFF046C4C2C | svcghost.exe | Win32/Agent.AGUU | Process show constituent that launches PerfWatson.exe aliases RuntimeSvc.exe to side-load lregdll.dll. |
| 401571851A7CF71783A4CB902DB81084F0A97F85 | main.dll | Win32/Agent.AEIJ | Decrypted SlowStepper backdoor component. |
| 068FD2D209C0BBB0C6FC14E88D63F92441163233 | IPanyVPNsetup.exe | Win32/ShellcodeRunner.GZ | Malicious IPany installer. Contains nan SlowStepper implant and nan morganatic IPany VPN software. |
Network
| IP | Domain | Hosting provider | First seen | Details |
| 202.189.8[.]72 | reverse.wcsset[.]com | Shandong eshinton Network Technology Co., Ltd. | 2024‑10‑14 | Server utilized by nan (reverse proxy) soc.mod tool. |
| 47.96.17[.]237 | agt.wcsset[.]com | Hangzhou Alibaba Advertising Co.,Ltd. | 2024‑10‑14 | Server utilized by agent.mod tool. |
| N/A | 7051.gsm.360safe[.]company | N/A | 2020‑09‑29 | SlowStepper queries this domain to get its associated DNS TXT record. |
| 202.105.1[.]187 | st.360safe[.]company | IRT-CHINANET-CN | 2021‑03‑11 | Fallback C&C server contacted by SlowStepper. |
| 47.74.159[.]166 | N/A | Alibaba (US) Technology Co., Ltd. | 2020‑09‑29 | SlowStepper C&C server. |
| 8.130.87[.]195 | N/A | Hangzhou Alibaba Advertising Co.,Ltd. | 2020‑09‑29 | SlowStepper C&C server. |
| 47.108.162[.]218 | N/A | Hangzhou Alibaba Advertising Co.,Ltd. | 2020‑09‑29 | SlowStepper C&C server. |
| 47.113.200[.]18 | N/A | Hangzhou Alibaba Advertising Co.,Ltd. | 2020‑09‑29 | SlowStepper C&C server. |
| 47.104.138[.]190 | N/A | Guowei Pan | 2020‑09‑29 | SlowStepper C&C server. |
| 120.24.193[.]58 | N/A | Hangzhou Alibaba Advertising Co.,Ltd. | 2020‑09‑29 | SlowStepper C&C server. |
| 202.189.8[.]87 | N/A | Shandong eshinton Network Technology Co., Ltd. | 2020‑09‑29 | SlowStepper C&C server. |
| 202.189.8[.]69 | N/A | Shandong eshinton Network Technology Co., Ltd. | 2020‑09‑29 | SlowStepper C&C server. |
| 202.189.8[.]193 | N/A | Shandong eshinton Network Technology Co., Ltd. | 2020‑09‑29 | SlowStepper C&C server. |
| 47.92.6[.]64 | N/A | Hangzhou Alibaba Advertising Co.,Ltd. | 2020‑09‑29 | SlowStepper C&C server. |
MITRE ATT&CK techniques
This array was built utilizing version 16 of nan MITRE ATT&CK framework.
| Tactic | ID | Name | Description |
| Resource Development | T1583.001 | Acquire Infrastructure: Domains | PlushDaemon has acquired domain names for its C&C infrastructure. |
| T1583.004 | Acquire Infrastructure: Server | PlushDaemon has acquired servers to beryllium utilized arsenic C&C servers. | |
| T1608.001 | Stage Capabilities: Upload Malware | PlushDaemon has staged its toolkit successful nan codification repository website GitCode. | |
| T1608.002 | Stage Capabilities: Upload Tool | PlushDaemon has staged its toolkit successful nan codification repository website GitCode. | |
| T1588.001 | Obtain Capabilities: Malware | PlushDaemon has entree to SlowStepper. | |
| T1588.002 | Obtain Capabilities: Tool | PlushDaemon devices getcode.mod and getcode64.mod usage Mimikatz. | |
| T1588.003 | Obtain Capabilities: Code Signing Certificates | PlushDaemon devices soc.mod and stoll.mod are signed. | |
| T1588.005 | Obtain Capabilities: Exploits | PlushDaemon has utilized an unidentified utilization for Apache HTTP server. | |
| Initial Access | T1659 | Content Injection | PlushDaemon tin intercept web postulation to hijack update protocols and present its SlowStepper implant. |
| T1190 | Exploit Public-Facing Application | PlushDaemon exploited an unidentified vulnerability successful Apache HTTP Server. | |
| T1195.002 | Supply Chain Compromise: Compromise Software Supply Chain | PlushDaemon has compromised nan proviso concatenation of a VPN developer and replaced nan original installer pinch a trojanized 1 containing nan SlowStepper implant. | |
| Execution | T1059.003 | Command-Line Interface: Windows Command Shell | SlowStepper uses cmd.exe to execute commands connected a compromised machine. |
| T1059.006 | Command-Line Interface: Python | SlowStepper for Windows tin usage nan Python console to execute nan Python components of its toolkit. | |
| Persistence | T1547.001 | Boot aliases Logon Autostart Execution: Registry Run Keys / Startup Folder | The SlowStepper installer establishes persistence by adding an introduction successful HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. |
| T1547.004 | Boot aliases Logon Autostart Execution: Winlogon Helper DLL | The SlowStepper process show constituent tin found persistence by adding an introduction successful HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit aliases HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\load. | |
| T1574.002 | Hijack Execution Flow: DLL Side-Loading | PlushDaemon has abused a morganatic bid statement inferior included successful Visual Studio called regcap.exe to side-load a malicious DLL named lregdll.dll. | |
| Defense Evasion | T1222.001 | File Permissions Modification: Windows File and Directory Permissions Modification | SlowStepper modifies nan entree authorities of nan directory wherever its components are stored connected disk. |
| T1070.004 | Indicator Removal: File Deletion | SlowStepper tin region its ain files. | |
| T1036.005 | Masquerading: Match Legitimate Name aliases Location | SlowStepper uses files names and filenames from morganatic software. | |
| T1112 | Modify Registry | SlowStepper tin modify nan registry. | |
| T1027.007 | Obfuscated Files aliases Information: Dynamic API Resolution | SlowStepper dynamically resolves Windows API functions. | |
| T1027.009 | Obfuscated Files aliases Information: Embedded Payloads | SlowStepper loader DLLs incorporate embedded, position-independent code, executed successful memory, to load components. | |
| T1027.013 | Obfuscated Files aliases Information: Encrypted/Encoded File | SlowStepper components are stored encrypted connected disk. | |
| T1553.002 | Subvert Trust Controls: Code Signing | PlushDaemon devices soc.mod and stoll.mod are signed. | |
| Discovery | T1217 | Browser Bookmark Discovery | SlowStepper’s Browser instrumentality collects accusation from browsers. |
| T1083 | File and Directory Discovery | SlowStepper and its devices tin hunt for files pinch circumstantial extensions, aliases enumerate files successful directories. | |
| T1120 | Peripheral Device Discovery | SlowStepper and its toolkit tin observe devices connected to nan compromised machine. | |
| T1057 | Process Discovery | SlowStepper tin create a database of moving processes. | |
| T1012 | Query Registry | SlowStepper tin query nan registry. | |
| T1518 | Software Discovery | SlowStepper tin create a database of package installed connected nan compromised machine. | |
| T1082 | System Information Discovery | SlowStepper tin cod strategy information. | |
| T1614 | System Location Discovery | SlowStepper’s Location instrumentality attempts to observe nan imaginable geolocation of nan compromised instrumentality by querying respective online services. | |
| T1016 | System Network Configuration Discovery | SlowStepper collects accusation from nan web adapters. | |
| T1016.002 | System Network Configuration Discovery: Wi-Fi Discovery | SlowStepper’s Wireless instrumentality and its variants collects a wide scope of accusation from nan Wi-Fi network. | |
| T1033 | System Owner/User Discovery | SlowStepper obtains nan username. | |
| Collection | T1560.002 | Archive Collected Data: Archive via Library | SlowStepper devices tin compress nan collected information successful ZIP archives. |
| T1123 | Audio Capture | SlowStepper tin seizure audio if nan compromised instrumentality has a microphone. | |
| T1005 | Data from Local System | SlowStepper and its devices cod a wide scope of information from nan compromised system. | |
| T1074.001 | Data Staged: Local Data Staging | SlowStepper and its devices shape information locally earlier exfiltrating it to nan C&C server. | |
| T1113 | Screen Capture | SlowStepper’s ScreenRecord instrumentality tin return screenshots. | |
| T1125 | Video Capture | SlowStepper’s Camera instrumentality tin grounds videos if nan compromised instrumentality has a camera. | |
| Command and Control | T1071.004 | Standard Application Layer Protocol: DNS | SlowStepper retrieves a DNS TXT grounds that contains an AES-encrypted database of C&C servers. |
| T1132.001 | Data Encoding: Standard Encoding | SlowStepper retrieves a DNS TXT grounds that contains an AES-encrypted database of C&C servers. The grounds is base64 encoded. | |
| T1573.001 | Encrypted Channel: Symmetric Cryptography | SlowStepper’s connection protocol pinch its C&C is encrypted pinch AES. | |
| T1008 | Fallback Channels | SlowStepper gets a fallback C&C server IP reside by resolving an replacement domain controlled by nan attackers. | |
| T1105 | Remote File Copy | SlowStepper downloads further devices from a distant codification repository astatine GitCode. | |
| T1104 | Multi-Stage Channels | SlowStepper obtains a database of C&C servers by querying nan DNS TXT grounds from a domain controlled by nan attackers; if nary connection tin beryllium established pinch nan servers, it resolves nan IP reside of different domain controlled by nan attackers to get a backup server. SlowStepper devices usage different servers from PlushDaemon infrastructure. |
|
| T1095 | Standard Non-Application Layer Protocol | SlowStepper communicates pinch its C&C via TCP. | |
| T1090 | Connection Proxy | SlowStepper devices agent.mod and soc.mod are reverse proxies. | |
| T1219 | Remote Access Tools | SlowStepper instrumentality Remote.mod allows its usability to remotely power nan compromised instrumentality via VNC. | |
| Exfiltration | T1020 | Automated Exfiltration | SlowStepper tin exfiltrate staged data. |
| T1041 | Exfiltration Over C2 Channel | SlowStepper exfiltrates collected information erstwhile connected to 1 of its C&C servers. |
English (US) · 
Indonesian (ID) ·