Chinese Hackers Weaponize Korean VPN Software to Deploy Stealthy ‘SlowStepper’ Malware

Chinese Hackers Weaponize Korean VPN Software to Deploy Stealthy 'SlowStepper' Malware

Supply Chain Attack Compromises South Korean VPN Provider

A sophisticated supply chain attack has been discovered targeting IPany, a South Korean VPN provider, by the Chinese hacking group “PlushDaemon.” The attack involved compromising the company’s VPN installer to deploy a custom malware called ‘SlowStepper.’

Impact and Scope
– Attack period: November 2023 to May 2024
– Affected entities include a South Korean semiconductor firm and a software development company
– Initial infections detected in Japan
– All IPanyVPN downloads during this period potentially compromised

Technical Details
The attack methodology involves:
– Compromised installer (IPanyVPNsetup.exe) deploys both legitimate VPN and malware
– Malicious payload (SlowStepper v0.2.10 Lite) loaded through:
– Malicious DLL (lregdll.dll)
– Image file (winlogin.gif)
– Process monitoring via svcghost.exe

Key SlowStepper Capabilities:
1. System reconnaissance and data collection
2. Remote payload execution
3. File system enumeration
4. Python-based spyware deployment
5. Command shell access
6. File manipulation
7. Specialized modules for:
– Browser data theft
– Chat log extraction
– Screen recording
– Webcam access
– Document scanning

Remediation
– IPany has removed the compromised installer
– Existing infections require system cleaning
– No geographical restrictions were implemented, suggesting widespread impact
– Users who downloaded IPanyVPN during the affected period should consider their systems compromised

Share This Article