Cybersecurity researchers at ESET have identified a previously undocumented Linux backdoor named PlushDaemon. This malware is engineered to compromise network devices, such as routers, to facilitate adversary-in-the-middle (AiTM) attacks.

PlushDaemon’s primary objective is to intercept and manipulate network traffic passing through an infected device. The initial access vector for the malware has not been definitively documented, though researchers believe it likely involves the exploitation of unpatched vulnerabilities or weak credentials on the targeted network hardware.

PlushDaemon’s Core Functionality and Persistence

Once executed on a compromised device, PlushDaemon establishes persistence by modifying the rc.local file, ensuring it runs automatically upon system startup. The core component of the malware typically uses file names such as /usr/sbin/iptable_manager or /usr/sbin/iptable_manage. This component is responsible for communicating with a hardcoded Command and Control (C&C) server.

During the investigation, the compromised router hosting PlushDaemon was also found to contain other malicious tools, including a port scanner and a SOCKS5 proxy server. This suggests either a multi-stage attack by a single actor or that multiple threat actors had access to the device.

Adversary-in-the-Middle Techniques

PlushDaemon employs specific techniques to conduct its AiTM attacks. One of its key capabilities is DNS hijacking. The malware modifies the device’s iptables rules to intercept all DNS queries on port 53 and redirect them to a local service it controls. In one observed case, this was used to redirect a user attempting to visit rutoken.ru, the website of a Russian hardware authentication token producer, to a malicious website.

The malware is also capable of SSH credential theft. It accomplishes this by replacing the legitimate SSH daemon binary at /usr/sbin/sshd with a malicious script. This script first executes a fake SSH server located at /tmp/sshd to capture login credentials, and then it launches the original SSH daemon to maintain normal functionality and avoid detection.

ESET Research has not attributed the PlushDaemon malware to any specific threat actor.

Source: https://www.welivesecurity.com/en/eset-research/plushdaemon-compromises-network-devices-for-adversary-in-the-middle-attacks/