Researchers believe bad actors are using man-in-the-middle (MitM) attacks against ASUS software to distribute the Plead backdoor.

Near the end of April 2019, researchers at ESET observed several attack attempts that both created and executed the Plead backdoor using “AsusWSPanel.exe,” a legitimate process which belongs to the Windows client for the cloud-based storage service ASUS WebStorage developed by the ASUS Corporation. In fact, all Plead samples observed by ESET had the name “Asus Webstorage Upate.exe”

In their analysis of these attack attempts, the Slovakian security firm said it believes that one of two things might have happened. It proposed that ASUS might have suffered a supply chain attack. But ESET discounted this possibility based on three observations: the same update mechanism delivered legitimate ASUS WebStorage binaries, there’s no evidence of the ASUS WebStorage binaries having acted as C&C servers or delivered malicious binaries and the attack attempts themselves delivered standalone malicious files not hidden in legitimate software.

The more likely situation in the minds of ESET’s researchers is that bad actors used MitM attacks and vulnerable routers to deliver the malware. Anton Cherepanov, malware researcher at ESET Slovakia, articulated this viewpoint in a blog post:

Our investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario.

As the ASUS WebStorage software requests an update using HTTP, ESET reasons that the attackers might have replaced the “guid” and “link” elements included in the “update.asuswebstorage.com” server’s XML request with their own data. The security firm actually observed this happen in the wild. In that instance, they inserted a new URL that pointed to (Read more...)