A cyberespionage group known as BlackTech exploited the ASUS update process for WebStorage application to perform Man-in-The-Middle (MiTM) attacks with the purpose of distributing Plead malware designed to steal information from the targeted computer through a combination of the Plead backdoor and Drigo exfiltration tool, according to the researchers from ESET.

The BlackTech group was first observed by ESET on July 2018, when it was abusing code-signing certificates stolen from D-Link for the distribution of the Plead malware that has been in a wild since at least 2012. The experts noted that the threat actor is highly skilled and primarily focused on cyberespionage in Asia.

In late April ESET detected multiple attacks that used an unusual delivery method - specifically, the Plead backdoor was created and executed by a legitimate process named AsusWSPanel.exe that is associated with the Windows client for a cloud storage service ASUS WebStorage.

The executable file had a name Asus Webstorage Upate.exe and was signed by ASUS Cloud Corporation, thus suggesting that the hackers somehow gained access to the update mechanism, given that AsusWSPanel.exe can create files with such filenames during the software update process.

The researchers described two possible scenarios: one is a supply chain type of attack that gives an opportunity for attackers to covertly compromise large numbers of targets at the same time, and the second scenario involves a MitM attack. The latter case is more likely, since ASUS WebStorage software is vulnerable to this type of attack.

“The software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update,” explained the researchers.

According to ESET, the hackers are likely compromising routers and use access to these devices to perform MitM attacks. In previous attacks the Plead malware operators were observed to be focusing on router compromise and the researchers have found that most of the organizations affected in the recent campaign have routers made by the same producer, with admin panels accessible from the Internet.

The update mechanism for ASUS WebStorage involves a request sent by the client for an update, to which the server sends an answer back in XML format. The most important elements in the XML response are the guid and the link: first contains the currently available version and second - the download URL used for the update. “Therefore, attackers could trigger the update by replacing these two elements using their own data. This is the exact scenario we actually observed in the wild”, said the researchers.

The attackers deploy a first-stage downloader that fetches a fav.ico file from a server, to drop the second-stage loader that is also written to the Start Menu startup folder. The loader executes shellcode in memory to load a third-stage DLL (TSCookie), which gets an additional module from a C&C server and executes it.

Cybercriminals are constantly creating new ways to deliver their malware, so it’s very important for software developers not only to thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks, concludes the report.