PLEAD malware now uses compromised routers and likely man-in-the-middle attack against ASUS Webstorage software

malware graphic

BRATISLAVA, May 14, 2019ESET researchers have recently discovered that that the attackers behind PLEAD malware have been distributing it using compromised routers and man-in-the-middle (MitM) attacks against the legitimate ASUS WebStorage software. The new activity was detected by ESET in the territory of Taiwan, where Plead malware is most actively deployed. It was previously reported that PLEAD malware is used by the BlackTech group in targeted attacks, primarily focused on cyberespionage in Asia.

Late April 2019, ESET researchers utilizing ESET telemetry observed multiple attempts to deploy this malware in an unusual way. Specifically, the PLEAD backdoor was created and executed by a legitimate process named AsusWSPanel.exe. This process belongs to a client for a cloud storage service called ASUS WebStorage. The executable file was digitally signed by the ASUS Cloud Corporation.

ESET suspects this is very likely to be a man-in-the-middle attack scenario as the author of this research, ESET’s Anton Cherepanov, explains: “The ASUS WebStorage software is vulnerable to this type of attack. Namely, the software update is requested and transferred using HTTP. Once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.”

According to previously reported research on the topic of PLEAD malware, it also compromises vulnerable routers and even uses them as C&C servers for the malware. “Our investigation uncovers that most of the affected organizations have routers made by the same manufacturer; moreover, the admin panel of these routers is accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario,” adds Anton Cherepanov and offers this piece of advice: “It is very important for software developers to not only thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks”.

A possible second explanation scenario is a supply chain type of attack. Attacks on supply chains open unlimited opportunities for attackers to stealthily compromise large numbers of targets at the same time, however, as the ESET research blog post elaborates – even though it cannot be fully discounted – it is less likely to be the case.

Man-in-the-middle attack scenario infographic

The illustration demonstrates the most likely scenario used to deliver malicious payloads to targets through compromised routers.

About ESET

For 30 years, ESET® has been developing industry-leading IT security software and services for businesses and consumers worldwide. With solutions ranging from endpoint and mobile security to encryption and two-factor authentication, ESET’s high-performing, easy-to-use products give consumers and businesses the peace of mind to enjoy the full potential of their technology. ESET unobtrusively protects and monitors 24/7, updating defenses in real time to keep users safe and businesses running without interruption. Evolving threats require an evolving IT security company. Backed by R&D centers worldwide, ESET has become the first IT security company to earn 100 Virus Bulletin VB100 awards, identifying every single “in-the-wild” malware without interruption since 2003. For more information, visit www.eset.com or follow us on LinkedIn, Facebook and Twitter.