Researchers believe bad actors are using man-in-the-middle (MitM) attacks against ASUS software to distribute the Plead backdoor.
Near the end of April 2019, researchers at ESET observed several attack attempts that both created and executed the Plead backdoor using “AsusWSPanel.exe,” a legitimate process which belongs to the Windows client for the cloud-based storage service ASUS WebStorage developed by the ASUS Corporation. In fact, all Plead samples observed by ESET had the name “Asus Webstorage Upate.exe”
In their analysis of these attack attempts, the Slovakian security firm said it believes that one of two things might have happened. It proposed that ASUS might have suffered a supply chain attack. But ESET discounted this possibility based on three observations: the same update mechanism delivered legitimate ASUS WebStorage binaries, there’s no evidence of the ASUS WebStorage binaries having acted as C&C servers or delivered malicious binaries and the attack attempts themselves delivered standalone malicious files not hidden in legitimate software.
The more likely situation in the minds of ESET’s researchers is that bad actors used MitM attacks and vulnerable routers to deliver the malware. Anton Cherepanov, malware researcher at ESET Slovakia, articulated this viewpoint in a blog post:
Our investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario.
As the ASUS WebStorage software requests an update using HTTP, ESET reasons that the attackers might have replaced the “guid” and “link” elements included in the “update.asuswebstorage.com” server’s XML request with their own data. The security firm actually observed this happen in the wild. In that instance, they inserted a new URL that pointed to a malicious file hosted at a compromised gov.tw domain.
Once deployed, Plead acted as a first-stage downloader that loaded a file that contained an image in PNG format. It also contained data which the malware used to execute a Windows PE binary that wrote itself to the Windows Start Menu startup folder, thereby gaining persistence. This executable used shellcode to load a third-stage DLL. This asset, in turn, retrieved an additional malicious module and executed it.
To protect against campaigns such as the one described above, ESET recommends that organizations implement update mechanisms that are resistant to MitM attacks.