The BlackTech cyber-espionage group has been performing man-in-the-middle (MitM) attacks on the update process of the ASUS WebStorage application to deliver the Plead backdoor to their targeted victims, ESET reports.
The attacks occurred at the end of April 2019 and involved the creation and execution of the Plead backdoor by AsusWSPanel.exe, the legitimate process of the Windows client for ASUS’ cloud storage service.
Featuring the name Asus Webstorage Upate.exe, the executable file was digitally signed by ASUS Cloud Corporation, thus suggesting that the hackers might have had access to the update mechanism, given that AsusWSPanel.exe can create files with such filenames during the software update process.
The compromise, ESET says, could have been either a supply chain attack on the ASUS WebStorage cloud service, or the result of a MitM attack, given that WebStorage binaries are delivered via HTTP during the update process.
Although there have been numerous supply chain incidents recently (such as M.E.Doc and CCleaner) and even ASUS fell victim to such an attack recently, this compromise apparently happened via MitM instead.
The issue is that, in addition to using an unencrypted connection to deliver software updates, the mechanism doesn’t include validation of the downloaded binary before execution.
“Thus, if the update process is intercepted by attackers, they are able to push a malicious update,” ESET points out.
According to the security firm, the hackers are likely compromising routers and leverage access to these devices to perform MitM attacks. The Plead malware operators were said before to be focusing on router compromise and ESET discovered that most of the organizations affected in the recent attacks have routers made by the same producer, with admin panels accessible from the Internet.
“Thus, we believe that a MitM attack at the router level is the most probable scenario,” ESET’s security researchers say.
The update mechanism for ASUS WebStorage, they explain, involves a request sent by the client for an update, to which the server responds in XML format, with a guid and a link included in the response. The software then checks if the installed version is older, based on the information in the guid element, and requests the update binary via the provided link.
“Therefore, attackers could trigger the update by replacing these two elements using their own data. This is the exact scenario we actually observed in the wild. [The] attackers inserted a new URL, which points to a malicious file at a compromised gov.tw domain,” ESET notes.
The attackers serve a first-stage downloader that fetches a fav.ico file from a server, to drop the second-stage loader that is also written to the Start Menu startup folder. The loader executes shellcode in memory to load a third-stage DLL, which has been detailed before as TSCookie.
“We see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe. This is why it’s very important for software developers not only to thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks,” ESET concludes.