A China-linked advanced persistent threat (APT) group, known as BlackTech, has been identified deploying custom malware to infect routers and hijack legitimate software updates. The campaign, detailed by researchers at Lumen Technologies’ Black Lotus Labs, utilizes a sophisticated backdoor named ‘PlushDaemon’ to conduct cyber-espionage primarily against organizations in the United States and Japan.

The threat actors gain control of routers at the network edge, often targeting branch offices which may have less robust security than corporate headquarters. By modifying the firmware of routers from vendors including Cisco and Fortinet, BlackTech establishes a persistent foothold within the target’s network infrastructure.

PlushDaemon: A Stealthy Firmware Backdoor

PlushDaemon is a custom backdoor specifically designed to be embedded within a router’s firmware. This placement allows it to survive reboots and remain undetected. The malware can operate in two distinct modes. In its passive mode, PlushDaemon listens for a specially crafted ‘magic packet’ sent over the network, which activates its functionalities. In its active mode, the malware proactively connects to a command-and-control (C2) server for instructions.

This dual-mode capability provides the attackers with operational flexibility, allowing them to remain dormant for extended periods before receiving commands to execute malicious actions, such as intercepting and manipulating network traffic.

Hijacking Updates for Malicious Delivery

The primary function of the PlushDaemon implant is to intercept network traffic to facilitate the delivery of other malware. The backdoor is configured to monitor for specific software update requests originating from devices within the compromised network. When it detects a download attempt for a targeted executable file, such as those associated with Windows Update, Adobe, or Microsoft Office, it intervenes.

Instead of allowing the legitimate update file to be downloaded, PlushDaemon hijacks the connection and serves a malicious payload to the requesting computer. This update-hijacking technique enables the BlackTech group to bypass security controls and gain initial access to endpoints within the victim’s environment, furthering their espionage objectives.

Source: https://www.darkreading.com/endpoint-security/chinese-apt-routers-hijack-software-updates