Press Center

Plead malware now uses compromised routers and likely man-in-the-middle attacks against ASUS Webstorage software

Created: 2019-05-14 13:00:00

BRATISLAVA – ESET researchers have recently discovered that the attackers behind Plead malware have been distributing it using compromised routers and man-in-the-middle (MitM) attacks against the legitimate ASUS WebStorage software. The new activity was detected by ESET in the territory of Taiwan, where Plead malware is most actively deployed. It was previously reported that Plead malware is used by the BlackTech group in targeted attacks, primarily those focused on cyberespionage in Asia.

In late April 2019, ESET researchers utilizing ESET telemetry observed multiple attempts to deploy this malware in an unusual way. Specifically, the Plead backdoor was created and executed by a legitimate process named AsusWSPanel.exe. This process belongs to a client for a cloud storage service called ASUS WebStorage. The executable file was digitally signed by the ASUS Cloud Corporation.

ESET suspects this is very likely to be a man-in-the-middle attack scenario, as the author of this research, ESET’s Anton Cherepanov, explains: “The ASUS WebStorage software is vulnerable to this type of attack. Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.”

According to previously reported research on the topic, Plead malware also compromises vulnerable routers and even uses them as C&C servers for the malware. “Our investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario,” adds Anton Cherepanov. He also offers a piece of advice: “It is very important for software developers to not only thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks.”

A possible second explanation scenario is a supply chain type of attack. Attacks on supply chains open unlimited opportunitiesfor attackers to stealthily compromise large numbers of targets at the same time. However, as the ESET research blog post elaborates, it is less likely to be the case, even though it cannot be fully discounted.

Man-in-the-middle attack scenario infographic

The illustration demonstrates the most likely scenario used to deliver malicious payloads to targets through compromised routers.

Version 2 Limited is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 Limited offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give individuals and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D facilities worldwide, ESET became the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003.