ESET researchers have discovered that attackers have been distributing the Plead malware via compromised routers and man-in-the-middle attacks against the legitimate ASUS WebStorage software.

ESET first discovered that the Plead backdoor was digitally signed by a code-signing certificate that was issued to D-Link Corporation back in July 2018.
The Plead malware is a backdoor which, according to Trend Micro, is used by the BlackTech group in targeted attacks. The BlackTech group is primarily focused on cyberespionage in Asia.

At the end of April 2019, ESET researchers utilizing ESET telemetry observed multiple attempts to deploy Plead malware in an unusual way. Specifically, the Plead backdoor was created and executed by a legitimate process named AsusWSPanel.exe. This process belongs to the Windows client for a cloud storage service called ASUS WebStorage. The executable file is digitally signed by ASUS Cloud Corporation.

ESET said that all observed Plead samples had the following file name: Asus Webstorage Upate.exe. The researchers confirmed that the AsusWSPanel.exe module of ASUS WebStorage can create files with such filenames during the software update process.

But how legitimate software could create and execute the Plead malware? A possibility could be an ASUS WebStorage supply-chain attack, under which legitimate ASUS WebStorage binaries were delivered via the same update mechanism. However, ESET says it is not aware that ASUS WebStorage servers are used as C&C servers or have served malicious binaries.The a ttackers used standalone malware files instead of incorporating malicious functionality inside legitimate software.

Another possible explanation could be the fact that the ASUS WebStorage software is vulnerable to a man-in-the-middle attack (MitM). Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.

According to Trend Micro research, attackers behind the Plead malware are compromising vulnerable routers and even using them as C&C servers for the malware.

ESET's investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, the researchers believe that a MitM attack at the router level is the most probable scenario.

ESET researchers had notified ASUS Cloud Corporation prior to the public announcement of the issue.

Attackers are constantly looking for new ways to deliver their malware in a stealthier way. Security researchers see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe.