Hackers Distribute PLEAD Malware through Supply-chain and man-in-the-middle Attack

Security researchers a new malware campaign that delivers Plead malware by abusing legitimate software that developed by ASUS Cloud Corporation.

The PLEAD malware found to be active since 2012, and the executables are signed with the stolen certificate.

The new campaign executed through a legitimate process named AsusWSPanel.exe, which is the windows client for ASUS WebStorage.

According to researchers, two possible attack scenarios include Supply chain and Man-in-the-middle attack. Researchers believe the possibility of supply-chain attack is a less possible scenario.

In the case of Man-in-the-middle attack, the update request is handled through an HTTP request. Also, there is no validation on the downloaded update before execution. If the update process intercepted by attackers, they were able to push a malicious update.

“Our investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario,” reads ESET report.

The update requests to update.asuswebstorage.com are sent through HTTP, in response to that the server sends an XML file that contains guid and the link, whereas the guid contains available version, and the link contains the download link.

Attackers can intercept the request and can replace the guid and the link data with their data pointing to a malicious server.

Plead Malware Execution

The deployed Plead sample is the first-stage downloader, which downloads the fav.ico from a malicious server that poses as an official ASUS WebStorage server.

The malicious file then decrypted by Plead drop another executable which is to decrypt shellcode from its PE resource and execute it in memory. Shellcode is the third-stage DL also known as TSCookie which downloads additional modules form a C&C server and execute it.

Plead Malware Harvest Login credentials form Browsers and Email clients, upload files, Execute applications ShellExecute API and delete target files.

The malware is connected with BlackTech Cyber Espionage group, and it is known for exploiting several vulnerabilities.

Indicators of Compromise

 SHA-1 
77F785613AAA41E4BF5D8702D8DFBD315E784F3E
 322719458BC5DFFEC99C9EF96B2E84397285CD73
 F597B3130E26F184028B1BA6B624CF2E2DECAA67

C&C
 update.asuswebstorage.com.ssmailer[.]com
 www.google.com.dns-report[.]com

Also Read

APT Malware LOLBins & GTFOBins Attack users by Evading the Security System

Gallmaker Hacking Group Attack Government, Military, and Defense Sectors Using Publicly Available Hacking Tools