China-linked cyberespionage group PlushDaemon used South Korean VPN service
to inject malware
Date:
Wed, 22 Jan 2025 16:41:46 +0000
Description:
ESET's new report shed light on PlushDaemon's malicious activities. Here's
what we know so far.
FULL STORY ======================================================================
A China-linked cyberespionage group has reportedly exploited a legitimate VPN service to spread malware and spy on victims' activities. The ESET security research team found the malicious code alongside the legitimate software in the Windows installer of IPany, a South Korean VPN provider.
The so-called PlushDaemon APT group is also known to have hijacked legitimate updates of Chinese applications, but this technical-advanced supply-chain attack against a trustworthy Korean VPN firm makes the hacking group "a significant threat to watch for," said ESET experts.
The SlowStepper backdoor
ESET's new report shed light on a previously undisclosed China-aligned APT group so-called PlushDaemon which experts believe to have been active since
at least 2019 and one of its malicious operations aims to spy on the
target's activities.
To do so, hackers have hijacked legitimated updates of Chinese apps and launched a supply-chain attack against South Korean VPN developer IPany. Both involve injecting a malicious backdoor into the device while the victims install the software.
Named SlowStepper, the backdoor is built on an advanced infrastructure that enables extensive data collection and spying through the recording of audio
and videos.
"We found no suspicious code on the download page to produce targeted downloads, for example by geofencing to specific targeted regions or IP ranges," experts explain. "Therefore, we believe that anyone using the IPany VPN might have been a valid target."
When the maliciousIPanyVPNsetup.exeinstaller is executed, it creates several directories and deploys both legitimate and malicious files.
Experts contacted the VPN software developer to inform them of the
compromise. The company then removed the malicious installer from its
website.
Nonetheless, ESET findings raise concerns for internet users' security, especially considering that the hacking group managed to fly under the radar for so long.
Experts wrote: "The numerous components in the PlushDaemon toolset, and its rich version history, show that, while previously unknown, this China-aligned APT group has been operating diligently to develop a wide array of tools, making it a significant threat to watch for."
Worse still, this is far from the only instance in which VPN users so,
someone actively looking to protect their online data are the main target. Google reported a similar threat at the beginning of January 2025 warning against how Playfulghost attackers used VPN apps to infect devices with malware.
======================================================================
Link to news story:
https://www.techradar.com/vpn/china-linked-cyberespionage-group-plushdaemon-us ed-south-korean-vpn-service-to-inject-malware
$$
--- SBBSecho 3.20-Linux
* Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)