Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage

At the end of April 2019, ESET researchers utilizing ESET telemetry observed multiple attempts to deploy Plead malware in an unusual way. Specifically, the Plead backdoor was created and executed by a legitimate process named AsusWSPanel.exe. This process belongs to the Windows client for a cloud storage service called ASUS WebStorage. As seen in Figure 1, the executable file is digitally signed by ASUS Cloud Corporation.

Figure 1. The AsusWSPanel.exe code-signing certificate

All observed Plead samples had the following file name: Asus Webstorage Upate.exe [sic]. Our research confirmed that the AsusWSPanel.exe module of ASUS WebStorage can create files with such filenames during the software update process, as seen in Figure 2.

Figure 2. Decompiled code of the ASUS WebStorage client

There are several possible explanations for why legitimate software could create and execute the Plead malware.

Scenario 1 – Supply chain attack

A supply chain opens unlimited opportunities for attackers to stealthily compromise a large number of targets at the same time: that’s why the number of supply-chain attacks is increasing. In recent years ESET researchers analyzed such cases as M.E.DocElmedia Player, VestaCP, Statcounter, and the Gaming industry.

For malware researchers, it’s not always easy to detect and confirm a specific supply-chain attack; sometimes there are not enough pieces of evidence to prove it.

When we think about the possibility of an ASUS WebStorage supply-chain attack, we should take into account the following points:

  • Legitimate ASUS WebStorage binaries were delivered via the same update mechanism
  • Currently, we are not aware that ASUS WebStorage servers are used as C&C servers or have served malicious binaries
  • Attackers used standalone malware files instead of incorporating malicious functionality inside legitimate software

Therefore, we consider the hypothesis of a possible supply-chain attack to be a less likely scenario; however, we can’t fully discount it.

Scenario 2 – Man-in-the-middle attack

The ASUS WebStorage software is vulnerable to a man-in-the-middle attack (MitM). Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.

ESET researchers are familiar with cases when malware was delivered using a MitM attack at the ISP level, such as FinFisher, StrongPity2, and the Turla mosquito case.

According to the Trend Micro research mentioned earlier, the attackers behind the Plead malware are compromising vulnerable routers and even using them as C&C servers for the malware.

Our investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario.

As mentioned above, the ASUS WebStorage software requests an update using HTTP. Specifically, it sends a request to the update.asuswebstorage.com server, which sends an answer back in XML format. The most important elements in the XML response are the guid and the link. The guid element contains the currently available version; the link element contains the download URL used for the update. The update process is simple: the software checks whether the installed version is older than the most recent version; if so, then it requests a binary using the provided URL, as seen in Figure 3.

Figure 3. A legitimate communication during an update check of the ASUS WebStorage software

Therefore, attackers could trigger the update by replacing these two elements using their own data. This is the exact scenario we actually observed in the wild. As shown in Figure 4, attackers inserted a new URL, which points to a malicious file at a compromised gov.tw domain.

Figure 4. A captured communication during a malicious update of the ASUS WebStorage software

The illustration in Figure 5 demonstrates the most likely scenario used to deliver malicious payloads to targets through compromised routers.

Figure 5. Man-in-the-middle attack scenario

Plead backdoor

The deployed Plead sample is a first-stage downloader. Once executed, it downloads the fav.ico file from a server, whose name mimics the official ASUS WebStorage server: update.asuswebstorage.com.ssmailer[.]com

The downloaded file contains an image in PNG format and data used by the malware, which is located right after PNG data. Figure 6 depicts the specific byte sequence (control bytes) the malware searches for, and then it uses the next 512 bytes as an RC4 encryption key in order to decrypt the rest of the data.

Figure 6. The data used by the Plead malware in the downloaded PNG file

The decrypted data contains a Windows PE binary, which can be dropped and executed using one of the absolute filenames and paths:

  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\slui.exe
  • %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ctfmon.exe
  • %TEMP%\DEV[4_random_chars].TMP

By writing itself to the Start Menu startup folder, the malware gains persistence – it will be loaded each time the current user logs into the system.

The dropped executable is a second-stage loader, whose purpose is to decrypt shellcode from its PE resource and execute it in memory. This shellcode loads a third-stage DLL, whose purpose is to get an additional module from a C&C server and execute it. The third-stage DLL and downloaded module are thoroughly analyzed by JPCERT and published in their blogpost (referred to there as “TSCookie”).

Conclusion

Attackers are constantly looking for new ways to deliver their malware in a stealthier way. We see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe.

This is why it’s very important for software developers not only to thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks.

ESET researchers notified ASUS Cloud Corporation prior to this publication.

For any inquiries, or to make sample submissions related to this subject, please contact us at threatintel@eset.com.

Indicators of Compromise (IoCs)

ESET detection namesWin32/Plead.AP trojanWin32/Plead.AC trojanPlead samples (SHA-1)77F785613AAA41E4BF5D8702D8DFBD315E784F3E322719458BC5DFFEC99C9EF96B2E84397285CD73F597B3130E26F184028B1BA6B624CF2E2DECAA67

To view or add a comment, sign in

More articles by M. Ouchen

Insights from the community

Others also viewed

Explore topics