SlowStepper Backdoor Malware

In 2023, a previously undocumented China-aligned Advanced Persistent Threat (APT) group, PlushDaemon, emerged on the cybersecurity radar following a sophisticated supply chain attack on a South Korean VPN provider. This attack involved replacing the legitimate installer with a compromised version and deploying their signature implant, SlowStepper.

SlowStepper: A Versatile Backdoor in PlushDaemon’s Arsenal

Central to PlushDaemon's operations is SlowStepper, a feature-rich backdoor boasting a toolkit of over 30 components. Written in C++, Python, and Go, this backdoor serves as the group's primary instrument for espionage and intrusion. SlowStepper has been in development since at least 2019, evolving through multiple iterations, with its latest version compiled in June 2024.

Hijacked Channels: The Key to Initial Access

PlushDaemon's attack strategy frequently exploits vulnerabilities in Web servers and hijacks legitimate software update channels. The group gained initial access by embedding unsafe code into the NSIS installer of a VPN software distributed via the website 'ipany.kr'. The compromised installer simultaneously delivered the legitimate software and the SlowStepper backdoor.

Target Scope and Victimology

The attack potentially affected any entity downloading the booby-trapped installer. Evidence shows attempts to install the compromised software in networks associated with a South Korean semiconductor company and an unidentified software developer. Initial victims were identified in Japan and China in late 2023, reflecting the group's widespread reach.

A Complex Attack Chain: SlowStepper’s Deployment

The attack begins with executing the installer ('IPanyVPNsetup.exe'), which sets up persistence and launches a loader ('AutoMsg.dll'). This loader initiates shellcode execution, extracting and sideloading unsafe DLL files using legitimate tools like 'PerfWatson.exe.' The final stage involves deploying SlowStepper from an innocuously named file ('winlogin.gif').

A Scaled-Down Version: SlowStepper Lite

Researchers identified the 'Lite' variant of SlowStepper used in this campaign, which includes fewer features than the full version. Despite this, it retains significant capabilities, enabling comprehensive surveillance and data collection through tools hosted on GitCode, a Chinese code repository.

Command-and-Control: A Multistage Approach

SlowStepper employs a robust multistage Command-and-Control (C&C) protocol. It first queries DNS servers for a TXT record to fetch IP addresses for communication. If this fails, it reverts to a secondary method, using an API to resolve a fallback domain.

Espionage at Scale: Modular Capabilities of SlowStepper

The SlowStepper backdoor is equipped with a wide array of tools for collecting information, enabling it to gather data from:

• Popular Web browsers - Google Chrome, Microsoft Edge, Opera, Brave, Vivaldi, Cốc Cốc browser, UC Browser, 360 Browser, and Mozilla Firefox
• Capture images and record screens.
• Collect sensitive documents and application data - txt, .doc, .docx, .xls, .xlsx, .ppt, and .pptx, as well as information from apps like LetsVPN, Tencent QQ, WeChat, Kingsoft WPS, e2eSoft VCam, KuGou, Oray Sunlogin, and ToDesk.
• Capture chat messages from the DingTalk platform.
• Retrieve Python packages that are not harmful.
• FileScanner and FileScannerAllDisk analyze the system to locate files.
• getOperaCookie extracts cookies from the Opera browser.
• Location identifies the computer's IP address and GPS coordinates.
• qpass collects information from the Tencent QQ Browser, which can possibly be replaced by the qqpass module.
• qqpass and Webpass, gather passwords from various browsers, including Google Chrome, Mozilla Firefox, Tencent QQ Browser, 360 Chrome, and UC Browser.
• ScreenRecord captures screen recordings.
• Telegram extracts information from Telegram.
• WeChat retrieves data from the WeChat platform.
• WirelessKey collects wireless network details and associated passwords.

Unique features include the ability to launch a custom shell for executing remote payloads and Python modules for specific tasks.

A Focus on Espionage and Data Theft

The backdoor's modular design enables targeted data collection, such as chat messages from DingTalk and WeChat, browser passwords, and system location data. Additional tools support reverse proxy functionality and file downloads, enhancing its espionage capabilities.

A Growing Threat: PlushDaemon’s Evolution

PlushDaemon's extensive toolset and its commitment to ongoing development make it a formidable entity. The group's operations since 2019 highlight a clear focus on creating sophisticated tools, positioning it as a significant threat in the cybersecurity landscape.

Conclusion: Vigilance against Emerging Threats

PlushDaemon's supply chain attacks and advanced capabilities underscore the importance of vigilance in the cybersecurity community. By targeting trusted software distribution channels, the group has demonstrated its ability to infiltrate networks and execute complex espionage campaigns.