Researchers believe that bad actors use man-in-the-middle (MitM) attacks against ASUS software to spread the Plead back door.
At the end of April 2019, ESET researchers observed several attack attempts made and executed by the Plead back door using & # 39; AsusWSPanel.exe & # 39 ;, a legitimate process that belongs to the Windows client for the cloud-based storage service ASUS WebStorage, developed by the ASUS Corporation. In fact, all Plead examples observed by ESET were named "Asus Webstorage Upate.exe"
In their analysis of these attack attempts, the Slovak security company said it believes that one of the two things might have happened. It suggested that ASUS might have been involved in a supply chain attack. But ESET discounted this possibility based on three observations: the same update mechanism provided legitimate ASUS WebStorage binaries, there is no evidence that the ASUS WebStorage binaries acted as C&C servers or delivered malicious binaries, and the attack attempts themselves stand-alone malicious files have supplied that are not hidden in legitimate software.
The more likely situation in the minds of ESET & # 39; s researchers is that bad actors used MitM attacks and vulnerable routers to deliver the malware. Anton Cherepanov, malware researcher at ESET Slovakia, expressed this position in a blog post:
Our investigation revealed that most of the affected organizations have routers made by the same producer; in addition, the management panels of these routers are accessible from the internet. We therefore believe that a MitM attack at the router level is the most likely scenario.
Because the ASUS WebStorage software requests an update with HTTP, ESET argues that attackers may have replaced the "guid" and "link" elements in the XML question of the "update.asuswebstorage.com" server with their own data. The security company noticed that this happened in the wild. In that case, they have inserted a new URL that points to a malicious file that is hosted on a compromised gov.tw domain.
After the implementation, Plead acted as a first-stage downloader that loaded a file that contained an image in PNG format. It also contained data that the malware used to run a Windows PE binary file that wrote itself to the Windows Start Menu boot folder, making it persistent. This executable uses shell code to load a third-phase DLL. This asset has in turn retrieved and executed an additional malicious module.
To protect against campaigns such as those described above, ESET recommends organizations to implement update mechanisms that are resistant to mitig attacks.