Saturday, October 12, 2024
HomeComputer SecurityHackers Distribute PLEAD Malware through Supply-chain and man-in-the-middle Attack

Hackers Distribute PLEAD Malware through Supply-chain and man-in-the-middle Attack

Published on

Malware protection

Security researchers a new malware campaign that delivers Plead malware by abusing legitimate software that developed by ASUS Cloud Corporation.

The PLEAD malware found to be active since 2012, and the executables are signed with the stolen certificate.

The new campaign executed through a legitimate process named AsusWSPanel.exe, which is the windows client for ASUS WebStorage.

- Advertisement - SIEM as a Service

According to researchers, two possible attack scenarios include Supply chain and Man-in-the-middle attack. Researchers believe the possibility of supply-chain attack is a less possible scenario.

In the case of Man-in-the-middle attack, the update request is handled through an HTTP request. Also, there is no validation on the downloaded update before execution. If the update process intercepted by attackers, they were able to push a malicious update.

“Our investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario,” reads ESET report.

The update requests to update.asuswebstorage.com are sent through HTTP, in response to that the server sends an XML file that contains guid and the link, whereas the guid contains available version, and the link contains the download link.

Attackers can intercept the request and can replace the guid and the link data with their data pointing to a malicious server.

Plead Malware Execution

The deployed Plead sample is the first-stage downloader, which downloads the fav.ico from a malicious server that poses as an official ASUS WebStorage server.

The malicious file then decrypted by Plead drop another executable which is to decrypt shellcode from its PE resource and execute it in memory. Shellcode is the third-stage DL also known as TSCookie which downloads additional modules form a C&C server and execute it.

Plead Malware Harvest Login credentials form Browsers and Email clients, upload files, Execute applications ShellExecute API and delete target files.

The malware is connected with BlackTech Cyber Espionage group, and it is known for exploiting several vulnerabilities.

Indicators of Compromise

 SHA-1 
77F785613AAA41E4BF5D8702D8DFBD315E784F3E
322719458BC5DFFEC99C9EF96B2E84397285CD73
F597B3130E26F184028B1BA6B624CF2E2DECAA67

C&C
update.asuswebstorage.com.ssmailer[.]com
www.google.com.dns-report[.]com

Also Read

APT Malware LOLBins & GTFOBins Attack users by Evading the Security System

Gallmaker Hacking Group Attack Government, Military, and Defense Sectors Using Publicly Available Hacking Tools

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Threat Actor ProKYC Selling Tools To Bypass Two-Factor Authentication

Threat actors are leveraging a newly discovered deepfake tool, ProKYC, to bypass two-factor authentication...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Foxit PDF Reader Vulnerability Let Attackers Execute Arbitary Code

Researchers recently disclosed six new security vulnerabilities across various software, as one critical vulnerability...