PlushDaemon compromises network devices for adversary-in-the-middle attacks

MITRE Techniques

• [T1583.001 ] Acquire Infrastructure: Domains – PlushDaemon uses EdgeStepper to redirect traffic to specific subdomains that are part of PlushDaemon’s infrastructure on wcsset[.]com. Quote: ‘PlushDaemon uses EdgeStepper to redirect traffic to specific subdomains that are part of PlushDaemon’s infrastructure on wcsset[.]com.’
• [T1583.002 ] Acquire Infrastructure: DNS Server – Part of the PlushDaemon infrastructure is used to host its malicious DNS nodes. Quote: ‘Part of the PlushDaemon infrastructure is used to host its malicious DNS nodes.’
• [T1583.004 ] Acquire Infrastructure: Server – PlushDaemon has acquired servers to host its DNS/hijacking nodes and C&C servers. Quote: ‘PlushDaemon has acquired servers to host its DNS/hijacking nodes and C&C servers.’
• [T1608.001 ] Stage Capabilities: Upload Malware – PlushDaemon hosts its payloads on DNS/hijacking servers. Quote: ‘PlushDaemon hosts its payloads on DNS/hijacking servers.’
• [T1659 ] Content Injection – Hijacking nodes from PlushDaemon process hijacked traffic and reply to legitimate software with instructions to download malware such as LittleDaemon. Quote: ‘Hijacking nodes from PlushDaemon process hijacked traffic and reply to legitimate software with instructions to download malware such as LittleDaemon.’
• [T1106 ] Native API – DaemonicLogistics executes the SlowStepper implant using the ShellExecute API. Quote: ‘DaemonicLogistics executes the SlowStepper implant using the ShellExecute API.’
• [T1070.004 ] Indicator Removal: File Deletion – Some variants of LittleDaemon can remove themselves. Quote: ‘Some variants of LittleDaemon can remove themselves.’
• [T1036.005 ] Masquerading: Match Legitimate Name or Location – DaemonicLogistics creates a subdirectory named Tencent, where it stores its files. Quote: ‘DaemonicLogistics creates a subdirectory named Tencent, where it stores its files.’
• [T1036.008 ] Masquerading: Masquerade File Type – DaemonicLogistics and SlowStepper’s loader can decrypt files that masquerade as ZIP and GIF files. Quote: ‘DaemonicLogistics and SlowStepper’s loader can decrypt files that masquerade as ZIP and GIF files.’
• [T1027.009 ] Obfuscated Files or Information: Embedded Payloads – Files masquerading as ZIPs and GIF files contain embedded encrypted components. Quote: ‘Files masquerading as ZIPs and GIF files contain embedded encrypted components.’
• [T1027.013 ] Obfuscated Files or Information: Encrypted/Encoded File – Components of the SlowStepper implant are encrypted on disk. Quote: ‘Components of the SlowStepper implant are encrypted on disk.’
• [T1518.001 ] Software Discovery: Security Software Discovery – DaemonicLogistics checks for the presence of 360tray.exe – a component of 360 Total Security. Quote: ‘DaemonicLogistics checks for the presence of 360tray.exe – a component of 360 Total Security.’
• [T1016 ] System Network Configuration Discovery – DaemonicLogistics attempts to obtain the ethernet or Wi‑Fi adapter’s MAC address. Quote: ‘DaemonicLogistics attempts to obtain the ethernet or Wi‑Fi adapter’s MAC address.’
• [T1057 ] Process Discovery – DaemonicLogistics lists processes. Quote: ‘DaemonicLogistics lists processes.’
• [T1071.001 ] Application Layer Protocol: Web Protocols – LittleDaemon and DaemonicLogistics use HTTP to communicate with their server. Quote: ‘LittleDaemon and DaemonicLogistics use HTTP to communicate with their server.’
• [T1573 ] Encrypted Channel – LittleDaemon downloads via HTTP the encrypted DaemonicLogistics that downloads via HTTP the encrypted SlowStepper implant. Quote: ‘LittleDaemon downloads via HTTP the encrypted DaemonicLogistics that downloads via HTTP the encrypted SlowStepper implant.’
• [T1665 ] Hide Infrastructure – LittleDaemon and DaemonicLogistics make downloads by sending HTTP requests to legitimate domains. Quote: ‘LittleDaemon and DaemonicLogistics make downloads by sending HTTP requests to legitimate domains.’