Wednesday, March 19, 2025
Follow us On Linkedin
HomeComputer SecurityHackers Distribute PLEAD Malware through Supply-chain and man-in-the-middle Attack

Hackers Distribute PLEAD Malware through Supply-chain and man-in-the-middle Attack

Computer SecurityCyber AttackCyber Security NewsMalware

Published on

By Gurubaran
Plead Malware

Supply Chain Attack Prevention

SIEM as a Service

Follow Us on Google News

Security researchers a new malware campaign that delivers Plead malware by abusing legitimate software that developed by ASUS Cloud Corporation.

The PLEAD malware found to be active since 2012, and the executables are signed with the stolen certificate.

The new campaign executed through a legitimate process named AsusWSPanel.exe, which is the windows client for ASUS WebStorage.

According to researchers, two possible attack scenarios include Supply chain and Man-in-the-middle attack. Researchers believe the possibility of supply-chain attack is a less possible scenario.

In the case of Man-in-the-middle attack, the update request is handled through an HTTP request. Also, there is no validation on the downloaded update before execution. If the update process intercepted by attackers, they were able to push a malicious update.

“Our investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario,” reads ESET report.

The update requests to update.asuswebstorage.com are sent through HTTP, in response to that the server sends an XML file that contains guid and the link, whereas the guid contains available version, and the link contains the download link.

Attackers can intercept the request and can replace the guid and the link data with their data pointing to a malicious server.

Plead Malware Execution

The deployed Plead sample is the first-stage downloader, which downloads the fav.ico from a malicious server that poses as an official ASUS WebStorage server.

The malicious file then decrypted by Plead drop another executable which is to decrypt shellcode from its PE resource and execute it in memory. Shellcode is the third-stage DL also known as TSCookie which downloads additional modules form a C&C server and execute it.

Plead Malware Harvest Login credentials form Browsers and Email clients, upload files, Execute applications ShellExecute API and delete target files.

The malware is connected with BlackTech Cyber Espionage group, and it is known for exploiting several vulnerabilities.

Indicators of Compromise

 SHA-1 
77F785613AAA41E4BF5D8702D8DFBD315E784F3E
 322719458BC5DFFEC99C9EF96B2E84397285CD73
 F597B3130E26F184028B1BA6B624CF2E2DECAA67

C&C
 update.asuswebstorage.com.ssmailer[.]com
 www.google.com.dns-report[.]com

Also Read

APT Malware LOLBins & GTFOBins Attack users by Evading the Security System

Gallmaker Hacking Group Attack Government, Military, and Defense Sectors Using Publicly Available Hacking Tools

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

CVE/vulnerability

Windows File Explorer Vulnerability Enables Network Spoofing Attacks: PoC Released

A critical vulnerability in Windows File Explorer has been discovered, allowing attackers to capture...
CVE/vulnerability

CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit

The Cybersecurity and Infrastructure Security Agency (CISA) issued a critical security warning regarding a...
cryptocurrency

Fake Coinbase Migration Messages Target Users to Steal Wallet Credentials

A sophisticated phishing campaign is currently targeting cryptocurrency investors with fraudulent emails claiming to...
cyber security

Electromagnetic Side-Channel Analysis of Cryptographically Secured Devices

Electromagnetic (EM) side-channel analysis has emerged as a significant threat to cryptographically secured devices,...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

Register Now

More like this

CVE/vulnerability

Windows File Explorer Vulnerability Enables Network Spoofing Attacks: PoC Released

A critical vulnerability in Windows File Explorer has been discovered, allowing attackers to capture...
CVE/vulnerability

CISA Issues Security Warning on Fortinet FortiOS Authentication Bypass Exploit

The Cybersecurity and Infrastructure Security Agency (CISA) issued a critical security warning regarding a...
cryptocurrency

Fake Coinbase Migration Messages Target Users to Steal Wallet Credentials

A sophisticated phishing campaign is currently targeting cryptocurrency investors with fraudulent emails claiming to...

GBHackers on Security is a top cybersecurity news platform, delivering up-to-date coverage on breaches, emerging threats, malware, vulnerabilities, and global cyber incidents.

Company

Trending

Categories

Copyright @ 2016 - 2025 GBHackers On Security - All Rights Reserved