You can’t imagine this story! There is a hacking group called PlushDaemon that is now buying and hijacking software updates to attack computers. Yep, you heard me right, software updates, the things that you trust every day. I'm always interested in cybersecurity-related stories, so that immediately caught my attention.
PlushDaemon is a hacking group operating on behalf of China. The group has been active since approximately 2018. They launch attacks in multiple locations: U.S., China, Taiwan, Hong Kong, South Korea, and New Zealand. They will target even factory electronics, universities, and car manufacturers. All very serious stuff.
The hackers gained an advantage by cleverly hijacking software updates. Here's how they do it:
• Finding a router or server with a weak password, or an old vulnerability, they break in.
• They install a tool called EdgeStepper.
• EdgeStepers monitors all DNS requests (how your computer visits web pages).
• When it sees your computer request a software update, it will quietly redirect the traffic to the hackers' fake update server.
• Your computer downloads the usual software update but instead downloads malware called LittleDaemon.
• LittleDaemon downloads another tool called DaemonicLogistics which installs their primary backdoor, SlowStepper.
SlowStepper allows hackers to
Creepy, right? Did you ever think that the trusted "updates" were the source of your betrayal?
We generally trust the software updates without think about it. I mean, who really stops and checks all updates? I certainly don't every time. But PlushDaemon is using that trust to their advantage. They are embedding you through the update process itself, making it very difficult to detect.
Anyone could be affected.
And you might say "I don't work at a large company, why would hackers target me?" The simple answer is:
Because your device could be the entry point into bigger targets. To be honest, I've downloaded small tools at one point without checking the update source, maybe you have too?
Why?
Because the hackers do not hit you directly. They wait for you to click "Update" and boom, they just dropped in their malware.
This reminds me that we must be cautious of not just what we install- but also where the update is coming from.
Who are the PlushDaemon hackers?
A brief overviewPlushDaemon is a hacking group operating on behalf of China. The group has been active since approximately 2018. They launch attacks in multiple locations: U.S., China, Taiwan, Hong Kong, South Korea, and New Zealand. They will target even factory electronics, universities, and car manufacturers. All very serious stuff.
How the attack works
Step-by-step explanationThe hackers gained an advantage by cleverly hijacking software updates. Here's how they do it:
• Finding a router or server with a weak password, or an old vulnerability, they break in.
• They install a tool called EdgeStepper.
• EdgeStepers monitors all DNS requests (how your computer visits web pages).
• When it sees your computer request a software update, it will quietly redirect the traffic to the hackers' fake update server.
• Your computer downloads the usual software update but instead downloads malware called LittleDaemon.
• LittleDaemon downloads another tool called DaemonicLogistics which installs their primary backdoor, SlowStepper.
SlowStepper allows hackers to
- Read your documents
- Record your keystrokes
- Steal your passwords, and
- See your browser history
Creepy, right? Did you ever think that the trusted "updates" were the source of your betrayal?
Why this attack is dangerous
Because updates are supposed to be safe.We generally trust the software updates without think about it. I mean, who really stops and checks all updates? I certainly don't every time. But PlushDaemon is using that trust to their advantage. They are embedding you through the update process itself, making it very difficult to detect.
Anyone could be affected.
And you might say "I don't work at a large company, why would hackers target me?" The simple answer is:
Because your device could be the entry point into bigger targets. To be honest, I've downloaded small tools at one point without checking the update source, maybe you have too?
My personal thoughts.
I feel like this attack method is one of the sneakiest in recent memory.Why?
Because the hackers do not hit you directly. They wait for you to click "Update" and boom, they just dropped in their malware.
This reminds me that we must be cautious of not just what we install- but also where the update is coming from.
