A threat actor with links to China has been observed using a novel technique, dubbed ‘EdgeStepper’, to hijack DNS traffic and deliver a previously unknown malware implant called PlushDaemon. The campaign targeted a telecommunications organization in the Middle East, leveraging weaponized software updates for initial access to Linux systems.

Security researchers at CrowdStrike attributed the activity to the threat actor LightBasin, also tracked as UNC1945. This group is known for its focus on targeting the telecommunications sector globally. The operation’s primary goal was to gain and maintain persistent access within the victim’s network by subverting a trusted system process.

The ‘EdgeStepper’ DNS Hijacking Technique

The core of the attack involved the EdgeStepper technique, which specifically targets Linux environments. After gaining initial access to a system, the attackers modified the default gateway configuration. This change rerouted all outgoing DNS queries from the compromised server to a malicious DNS server under the attackers’ control.

By intercepting DNS requests, the threat actor could respond to queries for legitimate software update repositories with the IP address of their own server. When an administrator or an automated process attempted to run a standard system update using tools like yum or apt-get, the system would connect to the malicious server instead of the official one. This enabled the attackers to serve their own malicious packages disguised as legitimate software updates.

PlushDaemon Malware and System Persistence

The malicious package delivered through the hijacked update process contained the PlushDaemon backdoor. Once installed, PlushDaemon provided the LightBasin actor with persistent and covert access to the compromised host. To ensure it remained active on the system, the malware established persistence by creating and enabling a systemd service.

This method of intrusion is noteworthy because it abuses a fundamental and trusted operating system function—the software update mechanism. By controlling DNS, the attackers effectively turned a routine administrative task into the primary vector for malware deployment, allowing for stealthy infiltration into a critical telecommunications network.

Source: https://www.csoonline.com/article/4093727/china%e2%80%91linked-plushdaemon-hijacks-dns-via-edgestepper-to-weaponize-software-updates.html