🚨 IPany VPN Breached in Supply-Chain Attack: Hackers Deploy SlowStepper Malware 🚨

Overview of the Breach

South Korean VPN provider IPany fell victim to a sophisticated supply chain attack orchestrated by the China-aligned hacking group known as PlushDaemon. This cyberattack leveraged IPany’s development platform to inject the malicious SlowStepper malware into the company's VPN installer (IPanyVPNsetup.exe). Customers unknowingly infected their systems by downloading and installing the trojanized software. The attack, uncovered by ESET researchers, has already impacted prominent companies, including a South Korean semiconductor firm and a software development company. Evidence suggests the campaign began as early as November 2023, with infected systems identified in Japan and South Korea.

The SlowStepper Malware in Action

Infection Mechanism

Customers became infected by downloading a malicious ZIP installer (IPanyVPNsetup.zip) directly from IPany’s website. Upon execution, the installer would deploy the legitimate VPN product along with the svcghost.exe executable—a malicious file that ensures persistence by adding a Run key in the Windows Registry.

Key Components of the Infection Process:

Payload Loading:

Persistence:

SlowStepper Capabilities

The deployed version, SlowStepper 0.2.10 Lite, is a more compact but stealthy variant of the malware. It uses tools developed in Python and Go, providing attackers with a wide array of espionage and data collection functionalities.

Supported Commands

0x32: Collect system details, including CPU specs, IP address, installed applications, and webcam/microphone status.

0x5A: Fetch and execute additional payloads from the command-and-control (C&C) server.

0x3F: Enumerate files and directories on the infected system.

0x38: Deploy Python-based spyware tools for keylogging, credential harvesting, and browser data theft.

0x3A: Activate shell mode for direct command execution, offering attackers complete control over the system.

0x39: Delete files or directories to erase traces or disrupt operations.

pycall: Execute specific Python modules for advanced espionage tasks, such as:Browser Data TheftMessaging App Spying: Extract logs from WeChat, Telegram, and DingTalk.Screen and Webcam RecordingDisk Scanning for Sensitive Documents

Indicators of Compromise (IoCs)

The malicious installer was available on the IPany website from November 2023 to May 2024, exposing countless users to infection. Notably, there were no geo-fencing restrictions on the download page, meaning that anyone globally could have been compromised.

The Impact of the Breach

The SlowStepper Lite variant might be lightweight compared to its standard version, but its capabilities make it a potent tool for espionage and data theft. Infected companies, such as the South Korean semiconductor firm, may have suffered intellectual property theft or unauthorized access to sensitive systems. The attack highlights the vulnerabilities within supply chains, where the compromise of a trusted vendor's software can cascade into widespread infections.

Response and Mitigation

Vendor Response

Once informed by ESET researchers, IPany promptly removed the compromised installer from its website. However, this action alone cannot undo the damage for customers who had already downloaded and executed the malware-laden software.

Recommended Actions for Users

Uninstall the Compromised Installer: Immediately remove the trojanized version of IPany VPN.

Perform a Comprehensive System Scan: Use reputable antivirus software to detect and remove svcghost.exe, lregdll.dll, and other malicious files.

Reset Credentials: Change passwords for accounts accessed from infected systems, as attackers may have stolen login data.

Check IoCs: Refer to the indicators of compromise (IoCs) published by ESET to identify if your system has been targeted.

Reinstall the VPN Software: Download the updated, clean installer from IPany’s website.

Lessons from the Attack

The Supply Chain Threat

This breach underscores the persistent risks associated with supply chain attacks. Organizations rely heavily on trusted software vendors, but a single compromise can introduce malware to countless systems. Cybersecurity measures should extend beyond internal systems to include vetting and monitoring of third-party suppliers.

Stealthy Malware

The use of SlowStepper Lite highlights how attackers balance functionality with stealth. Its smaller footprint makes it harder to detect while retaining essential capabilities for espionage.

Geo-fencing and Targeting

The lack of geo-fencing or restrictions on the download page suggests that the attackers aimed for maximum reach rather than targeting specific victims. However, the choice of initial victims—companies in South Korea and Japan—indicates a strategic interest in sensitive industries.

Final Thoughts

The breach of IPany VPN serves as a wake-up call for businesses and users worldwide. Supply chain attacks continue to evolve, leveraging trusted platforms to distribute malware stealthily. To mitigate such risks:

Implement Robust Security Measures: Vendors must adopt stringent security practices for their development environments.

Educate Users: Customers should remain vigilant about downloading software updates from verified sources and scanning them for threats.

Strengthen Incident Response Plans: Businesses must prepare for potential supply chain breaches by ensuring timely detection and response.

As the PlushDaemon hacking group demonstrates, attackers are always seeking new ways to exploit vulnerabilities. For cybersecurity professionals, the challenge lies in staying one step ahead. For affected users, immediate action is critical to limit the damage caused by this attack.