Security researchers a new malware campaign that delivers Plead malware by abusing legitimate software that developed by ASUS Cloud Corporation.
The PLEAD malware found to be active since 2012, and the executables are signed with the stolen certificate.
The new campaign executed through a legitimate process named AsusWSPanel.exe, which is the windows client for ASUS WebStorage.
According to researchers, two possible attack scenarios include Supply chain and Man-in-the-middle attack. Researchers believe the possibility of supply-chain attack is a less possible scenario.
In the case of Man-in-the-middle attack, the update request is handled through an HTTP request. Also, there is no validation on the downloaded update before execution. If the update process intercepted by attackers, they were able to push a malicious update.
“Our investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario,” reads ESET report.
The update requests to update.asuswebstorage.com are sent through HTTP, in response to that the server sends an XML file that contains guid and the link, whereas the guid contains available version, and the link contains the download link.
Attackers can intercept the request and can replace the guid and the link data with their data pointing to a malicious server.
Plead Malware Execution
The deployed Plead sample is the first-stage downloader, which downloads the fav.ico from a malicious server that poses as an official ASUS WebStorage server.
The malicious file then decrypted by Plead drop another executable which is to decrypt shellcode from its PE resource and execute it in memory. Shellcode is the third-stage DL also known as TSCookie which downloads additional modules form a C&C server and execute it.
Plead Malware Harvest Login credentials form Browsers and Email clients, upload files, Execute applications ShellExecute API and delete target files.
The malware is connected with BlackTech Cyber Espionage group, and it is known for exploiting several vulnerabilities.
Indicators of Compromise