South Korean VPN Provider IPany Breached in Sophisticated Supply Chain Attack by China-Aligned Hackers

2025-01-22

In a startling revelation, South Korean VPN provider IPany fell victim to a sophisticated supply chain attack orchestrated by the China-aligned hacking group “PlushDaemon.” The attackers compromised IPany’s VPN installer, embedding a custom malware known as ‘SlowStepper’ to infiltrate customer systems. This breach, uncovered by ESET researchers, highlights the growing threat of supply chain attacks and the advanced tactics employed by state-aligned cybercriminals. The incident has impacted several organizations, including a South Korean semiconductor firm and a software development company, with traces of infection dating back to November 2023 in Japan.

the Attack

1. Breach and Malware Deployment: PlushDaemon infiltrated

2. Infection Mechanism: Customers downloading the ZIP installer (‘IPanyVPNsetup.zip’) from IPany’s website unknowingly installed both the legitimate VPN and malicious files (‘svcghost.exe’).
3. Persistence and Payload: The malware added a Run key in the Registry for persistence and loaded the SlowStepper payload from an image file (‘winlogin.gif’) via a malicious DLL (‘lregdll.dll’).
4. Stealthy Operations: The Lite version of SlowStepper (0.2.10) used in this attack was less feature-rich but more stealthy, making detection challenging.
5. Capabilities: SlowStepper supports a range of espionage functions, including system data collection, file enumeration, browser data theft, keylogging, and even audio/video recording.
6. Commands: Key commands include gathering system details, fetching and running files from the C&C server, executing Python-based spyware tools, and enabling shell mode for direct system control.
7. Impact: The attack lacked geo-fencing, meaning anyone who downloaded the VPN installer between November 2023 and May 2024 could be infected.
8. Response: ESET notified IPany, leading to the removal of the malicious installer, but infected users must manually clean their systems.

What Undercode Say:

The IPany breach is a stark reminder of the vulnerabilities inherent in supply chain attacks, where attackers exploit trusted software to distribute malware. This incident underscores several critical points about modern cybersecurity threats and the evolving tactics of state-aligned hacking groups.

1. Supply Chain Vulnerabilities: Supply chain attacks are particularly insidious because they exploit the trust users place in legitimate software providers. By compromising a single vendor, attackers can infiltrate countless downstream users, as seen with IPany.

2. Sophistication of State-Aligned Groups: PlushDaemon’s use of SlowStepper demonstrates the advanced capabilities of state-aligned hacking groups. The malware’s modular design, leveraging Python and Go, allows for extensive customization and functionality, making it a potent tool for espionage.

3. Stealth Over Features: The decision to use a Lite version of SlowStepper highlights a shift toward stealth over functionality. While less feature-rich, the Lite version’s smaller footprint makes it harder to detect, emphasizing the importance of advanced threat detection mechanisms.

4. Targeting and Scope: The absence of geo-fencing suggests that the attackers cast a wide net, potentially targeting a broad range of victims rather than specific entities. This approach increases the likelihood of collateral damage, as seen with the infection of a South Korean semiconductor firm and a software development company.

5. Espionage Capabilities:

6. Response and Mitigation: While IPany removed the malicious installer, the incident highlights the need for proactive measures. Organizations must implement robust supply chain security practices, including code signing, integrity checks, and continuous monitoring of software distribution channels.

7. User Awareness: Infected users must take immediate action to clean their systems, emphasizing the importance of user education and awareness. Regular system scans, updates, and the use of reputable security software are critical in mitigating such threats.

8. Broader Implications: This attack is part of a larger trend of state-aligned cyber operations targeting critical industries, particularly in regions like South Korea and Japan. The semiconductor industry, a key player in global technology supply chains, is increasingly becoming a focal point for cyber espionage.

In conclusion, the IPany breach serves as a wake-up call for organizations and individuals alike. As cyber threats continue to evolve, adopting a proactive and comprehensive approach to cybersecurity is no longer optional—it is essential. By understanding the tactics, techniques, and procedures of adversaries like PlushDaemon, we can better defend against future attacks and safeguard our digital ecosystems.