They manage to break the security of the ASUS WebStorage service through the Plead malware

They manage to break the security of the ASUS WevStorage service through the Plead malware

According to a group of researchers from ESET in Taiwan, a few days ago it was reported that the Plead malware was being used by the BlackTech group in targeted attacks focused on cyber espionage activities, especially in Asian countries. This program appears to have been distributed through compromised routers misusing the ASUS WebStorage service.

It happened in late April when they observed multiple attempts to spread the Plead malware in unusual ways. The backdoor built into Plead was created and run using a legitimate process called AsusWSPanel.exe. This process belongs to a cloud storage services client called ASUS WebStorage. The executable file was also known to be digitally signed by ASUS Cloud Corporation. Needless to say, ESET researchers have already notified ASUS of what happened.

man in the middle

MitM Attack (Man in the Middle)

From ESET, they also have the suspicion that it could be a "man-in-the-middle" attack, which translated into Spanish means "man in the middle" attack or "middle man attack". Supposedly, the  ASUS WebStorage software would be vulnerable to such attacks , which would have taken place during the process of updating the ASUS application to deliver the Plead backdoor to its victims.

As it has been learned, the update mechanism for ASUS WebStorage involves sending a request by the client for an update using HTTP. Once the invitation is received, the server responds in XML format, with a guid and a link included in the response. The software then checks to see if the installed version is older than the latest version. In case it is, then request a binary using the provided URL.

This is when the attackers can trigger the update by replacing these two items using their own data. The illustration above shows us which is the most likely scenario used to insert malicious payloads on specific targets through compromised routers.