South Korean VPN Provider IPany Hit by Supply Chain Attack, Spread Malware

By Riley ThompsonTechnology News

South Korean VPN Provider IPany Compromised in Supply Chain Attack, Distributed Malware

South Korean VPN provider IPany has fallen victim to a supply chain attack carried out by the Chinese hacker group PlushDaemon. The attackers compromised the company’s VPN installer (IPanyVPNsetup.exe), injecting it with the SlowStepper backdoor.

According to researchers at ESET, who discovered the attack, victims include an unnamed South Korean semiconductor company and a software development firm. The first signs of infection appeared as early as November and December 2023, originating from Japan and China.

“The attackers replaced the legitimate installer with their own version, which deployed the group’s proprietary implant—SlowStepper. This is a multifunctional backdoor with a toolkit containing over 30 components,” the researchers wrote.

Malicious Installer Distributed via Official Website

IPany customers were infected with SlowStepper after downloading the ZIP installer (IPanyVPNsetup.zip) from the company’s website. When launched, the installer deployed both the legitimate IPany VPN product and malicious files (including svcghost.exe) that helped the malware persist on the system.

SlowStepper was loaded from an image file (winlogin.gif) via a malicious DLL (lregdll.dll), which was injected into the PerfWatson.exe process through DLL sideloading. The aforementioned svcghost executable ensured the process remained active at all times.

Researchers noted that these attacks used SlowStepper version 0.2.10 Lite, which has fewer features than the standard version but is more stealthy due to its smaller size.

“Both the full and Lite versions use toolkits written in Python and Go, enabling extensive data collection and espionage, including audio and video recording,” ESET explained.

SlowStepper Capabilities

SlowStepper is capable of:

  • Collecting various system data, including CPU brand, hard drive serial numbers, computer and host names, public IP address, list of running processes and installed applications, network interface data, system memory, webcam and microphone status, and whether the OS is running in a virtual machine;
  • Receiving and executing files from a command-and-control server, allowing additional payloads to be installed;
  • Listing files and directories on the compromised system;
  • Launching Python-based spyware tools for functions such as browser data theft, keylogging, and credential harvesting;
  • Activating a shell mode, enabling attackers to directly execute commands and create an interactive environment for controlling the compromised machine;
  • Deleting specific files or directories, which could be used to remove traces of the malware or disrupt system functionality;
  • Downloading and running specific Python spyware modules (such as Browser for browser data theft, WeChat, Telegram, and DingTalk for chat log extraction, ScreenRecord for screen activity capture, Camera for webcam recording, and CollectInfo for scanning disks for confidential documents).

Response and Recommendations

Researchers notified IPany representatives about the supply chain attack, after which the malicious installer was removed from the company’s website.

ESET emphasizes that all users who downloaded IPanyVPN from November 2023 (and possibly earlier) through May 2024 may be infected with SlowStepper. Potential victims are now urged to take immediate action to clean their systems of the malware.

Leave a Reply