PlushDaemon's EdgeStepper: Sophisticated DNS Hijacking Attacks

ESET researchers have uncovered a sophisticated attack chain orchestrated by the threat actor PlushDaemon, which leverages a previously undocumented network implant, EdgeStepper, to conduct adversary-in-the-middle attacks. By compromising network devices and redirecting DNS queries to malicious servers, PlushDaemon intercepts legitimate software updates and replaces them with trojanized versions containing the SlowStepper backdoor. This technique has enabled the threat actor to compromise targets across multiple continents since at least 2018. The core of PlushDaemon’s attack infrastructure centers on EdgeStepper, which operates as a DNS proxy that fundamentally alters network traffic patterns within compromised networks. The tool begins by loading encrypted configuration data, decrypting it using AES CBC, and then redirects all DNS traffic to a malicious DNS node controlled by PlushDaemon operators.

Latest mentioned: 11-19

Earliest mentioned: 11-19

Sources

gbhackers.com bleepingcomputer.com thehackernews.com therecord.media infosecurity-magazine.com

Also Read

AI-Generated Malware Targets AI Infrastructure in Global Attack

Security researchers at Oligo Security have uncovered a massive, fast-evolving cyberattack campaign hijacking exposed Ray AI clusters worldwide through the ShadowRay vulnerability (CVE-2023-48022). The campaign, dubbed ShadowRay 2.0, represents one of the world’s first cases of AI-generated malware used to attack AI infrastructure. The threat actor, IronErn440, has transformed Ray’s legitimate orchestration functions into a self-propagating, globally distributed botnet capable of cryptomining, lateral movement, data exfiltration, reverse shell access, DDoS attacks, and automated worm-like propagation. Oligo cautions that this isn’t just another cryptojacking campaign but a multi-purpose botnet capable of significant harm.

11-19Read more →