Wonderful, just wonderful.
According to antivirus company ESET, Chinese hackers have taken over the website for a VPN provider for the purpose of spreading malware. May 2024 saw the site flagged by ESET’s antivirus software. The software found malware infections on Windows computers traced to the site of South Korean VPN company IPany.
Upon further analysis, we discovered that the installer was deploying both the legitimate software and the backdoor that we’ve named SlowStepper. We contacted the VPN software developer to inform them of the compromise, and the malicious installer was removed from their website.
It’s not exactly clear how the hackers messed with IPany’s website. ESET claims that there were no signs of code to infect specific users based on location or IP address.
We found no suspicious code on the download page to produce targeted downloads, for example by geofencing to specific targeted regions or IP ranges; therefore, we believe that anyone using the IPany VPN might have been a valid target.
ESET traced the hack back to a Chinese hacking group known as PlushDaemon, a group that’s been around since 2019. They’ve executed a number of cybersecurity attacks against China, Taiwan, South Korea, and the US since then. PlushDaemon’s SlowStepper backdoor allows them to do a number of things at a distance at the hacker’s command. This includes downloading and executing additional malware, collecting a device’s specs, and even deleting specific files from an infected device.
ESET believes that this attack may have given the group the ability to spy on high-value targets.
Via ESET telemetry, we found that several users attempted to install the trojanized software in the network of a semiconductor company and an unidentified software development company in South Korea. The two oldest cases registered in our telemetry were a victim from Japan in November 2023, and a victim from China in December 2023.
This attack is also considered a supply chain attack; such an attack is when a hacker compromises high-userbase software, allowing them access to numerous users. Such an attack was made by North Korean hackers in 2023, in which they hacked the 3CX voice-calling app to spread malware to its unsuspecting users.
Source: PC Mag
About Author
