ESET researchers have recently discovered that the attackers behind Plead malware have been distributing it using compromised routers and man-in-the-middle (MitM) attacks against the legitimate ASUS WebStorage software. The new activity was detected by ESET in the territory of Taiwan, where Plead malware is most actively deployed. It was previously reported that Plead malware is used by the BlackTech group in targeted attacks, primarily those focused on cyberespionage in Asia.
In late April 2019, ESET researchers utilizing ESET telemetry observed multiple attempts to deploy this malware in an unusual way. Specifically, the Plead backdoor was created and executed by a legitimate process named AsusWSPanel.exe. This process belongs to a client for a cloud storage service called ASUS WebStorage. The executable file was digitally signed by the ASUS Cloud Corporation.
ESET suspects this is very likely to be a man-in-the-middle attack scenario, as the author of this research, ESET’s Anton Cherepanov, explains: “The ASUS WebStorage software is vulnerable to this type of attack. Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.”
According to previously reported research on the topic, Plead malware also compromises vulnerable routers and even uses them as C&C servers for the malware. “Our investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario,” adds Anton Cherepanov.
He also offers a piece of advice: “It is very important for software developers to not only thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks.” A possible second explanation scenario is a supply chain type of attack. Attacks on supply chains open unlimited opportunities for attackers to stealthily compromise large numbers of targets at the same time. However, it is less likely to be the case, even though it cannot be fully discounted.