Monday, March 4, 2024

Hackers Distribute PLEAD Malware through Supply-chain and man-in-the-middle Attack

Security researchers a new malware campaign that delivers Plead malware by abusing legitimate software that developed by ASUS Cloud Corporation.

The PLEAD malware found to be active since 2012, and the executables are signed with the stolen certificate.

The new campaign executed through a legitimate process named AsusWSPanel.exe, which is the windows client for ASUS WebStorage.

According to researchers, two possible attack scenarios include Supply chain and Man-in-the-middle attack. Researchers believe the possibility of supply-chain attack is a less possible scenario.

In the case of Man-in-the-middle attack, the update request is handled through an HTTP request. Also, there is no validation on the downloaded update before execution. If the update process intercepted by attackers, they were able to push a malicious update.

“Our investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario,” reads ESET report.

The update requests to update.asuswebstorage.com are sent through HTTP, in response to that the server sends an XML file that contains guid and the link, whereas the guid contains available version, and the link contains the download link.

Attackers can intercept the request and can replace the guid and the link data with their data pointing to a malicious server.

Plead Malware Execution

The deployed Plead sample is the first-stage downloader, which downloads the fav.ico from a malicious server that poses as an official ASUS WebStorage server.

The malicious file then decrypted by Plead drop another executable which is to decrypt shellcode from its PE resource and execute it in memory. Shellcode is the third-stage DL also known as TSCookie which downloads additional modules form a C&C server and execute it.

Plead Malware Harvest Login credentials form Browsers and Email clients, upload files, Execute applications ShellExecute API and delete target files.

The malware is connected with BlackTech Cyber Espionage group, and it is known for exploiting several vulnerabilities.

Indicators of Compromise

 SHA-1 
77F785613AAA41E4BF5D8702D8DFBD315E784F3E
322719458BC5DFFEC99C9EF96B2E84397285CD73
F597B3130E26F184028B1BA6B624CF2E2DECAA67

C&C
update.asuswebstorage.com.ssmailer[.]com
www.google.com.dns-report[.]com

Also Read

APT Malware LOLBins & GTFOBins Attack users by Evading the Security System

Gallmaker Hacking Group Attack Government, Military, and Defense Sectors Using Publicly Available Hacking Tools

Website

Latest articles

US Court Orders NSO Group to Handover Code for Spyware, Pegasus to WhatsApp

Meta, the company that owns WhatsApp, filed a lawsuit against NSO Group in 2019....

New SSO-Based Phishing Attack Trick Users into Sharing Login Credentials  

Threat actors employ phishing scams to trick individuals into giving away important details like...

U.S. Charged Iranian Hacker, Rewards up to $10 Million

The United States Department of Justice (DoJ) has charged an Iranian national, Alireza Shafie...

Huge Surge in Ransomware-as-a-Service Attacks targeting Middle East & Africa

The Middle East and Africa (MEA) region has witnessed a surge in ransomware-as-a-service (RaaS)...

New Silver SAML Attack Let Attackers Forge Any SAML Response To Entra ID

SolarWinds cyberattack was one of the largest attacks of the century in which attackers...

AI Worm Developed by Researchers Spreads Automatically Between AI Agents

Researchers have developed what they claim to be one of the first generative AI...

20 Million+ Cutout.Pro User Records Leaked On Hacking Forums

CutOut.Pro, an AI-powered photo and video editing platform, has reportedly suffered a data breach,...
Guru baran
Guru baranhttps://gbhackers.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Live Account Takeover Attack Simulation

Live Account Take Over Attack

Live Webinar on How do hackers bypass 2FA ,Detecting ATO attacks, A demo of credential stuffing, brute force and session jacking-based ATO attacks, Identifying attacks with behaviour-based analysis and Building custom protection for applications and APIs.

Related Articles