Researchers feel bad actors are using man-in-the-middle (MitM) attacks against ASUS software to group the Plead backdoor.
Near the end of April 2019, researchers at ESET look ated several attack attempts that both created and executed the Plead backdoor take advantage ofing “AsusWSPanel.exe,” a legitimate process which belongs to the Windows client for the cloud-based storage serving ASUS WebStorage developed by the ASUS Corporation. In fact, all Plead tests observed by ESET had the name “Asus Webstorage Upate.exe”
In their enquiry of these attack attempts, the Slovakian security firm said it supposes that one of two things might have happened. It proposed that ASUS potency have suffered a supply chain attack. But ESET discounted this chance based on three observations: the same update mechanism delivered valid ASUS WebStorage binaries, there’s no evidence of the ASUS WebStorage binaries deceiving acted as C&C servers or delivered malicious binaries and the attack attempts themselves gave standalone malicious files not hidden in legitimate software.
The more acceptable situation in the minds of ESET’s researchers is that bad actors used MitM paroxysms and vulnerable routers to deliver the malware. Anton Cherepanov, malware researcher at ESET Slovakia, articulated this context in a blog post:
Our investigation uncovered that most of the affected schemes have routers made by the same producer; moreover, the admin panels of these routers are approachable from the internet. Thus, we believe that a MitM attack at the router au courant with is the most probable scenario.
As the ASUS WebStorage software requests an update abusing HTTP, ESET reasons that the attackers might have replaced the “guid” and “in” elements included in the “update.asuswebstorage.com” server’s XML request with their own materials. The security firm actually observed this happen in the wild. In that event, they inserted a new URL that pointed to a malicious file hosted at a compromised gov.tw property.
Once deployed, Plead acted as a first-stage downloader that filled up a file that contained an image in PNG format. It also contained figures which the malware used to execute a Windows PE binary that noted itself to the Windows Start Menu startup folder, thereby increasing persistence. This executable used shellcode to load a third-stage DLL. This asset, in to, retrieved an additional malicious module and executed it.
To protect against throws such as the one described above, ESET recommends that organizations perform update mechanisms that are resistant to MitM attacks.