Figure 1. The AsusWSPanel.exe code-signing certificate
Figure 2. Decompiled code of the ASUS WebStorage client
There are several possible explanations for why legitimate software could create and execute the Plead malware.
A supply chain opens unlimited opportunities for attackers to stealthily compromise a large number of targets at the same time: that’s why the number of supply-chain attacks is increasing. In recent years ESET researchers analyzed such cases as M.E.Doc, Elmedia Player, VestaCP, Statcounter, and the Gaming industry.
For malware researchers, it’s not always easy to detect and confirm a specific supply-chain attack; sometimes there are not enough pieces of evidence to prove it.
When we think about the possibility of an ASUS WebStorage supply-chain attack, we should take into account the following points:
- Legitimate ASUS WebStorage binaries were delivered via the same update mechanism
- Currently, we are not aware that ASUS WebStorage servers are used as C&C servers or have served malicious binaries
- Attackers used standalone malware files instead of incorporating malicious functionality inside legitimate software
Therefore, we consider the hypothesis of a possible supply-chain attack to be a less likely scenario; however, we can’t fully discount it.
The ASUS WebStorage software is vulnerable to a man-in-the-middle attack (MitM). Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.
ESET researchers are familiar with cases when malware was delivered using a MitM attack at the ISP level, such as FinFisher, StrongPity2, and the Turla mosquito case.
According to Trend Micro research, attackers behind the Plead malware are compromising vulnerable routers and even using them as C&C servers for the malware.
Our investigation uncovered that most of the affected organizations have routers made by the same producer; moreover, the admin panels of these routers are accessible from the internet. Thus, we believe that a MitM attack at the router level is the most probable scenario.
As mentioned above, the ASUS WebStorage software requests an update using HTTP. Specifically, it sends a request to the update.asuswebstorage.com server, which sends an answer back in XML format. The most important elements in the XML response are the guid and the link. The guid element contains the currently available version; the link element contains the download URL used for the update. The update process is simple: the software checks whether the installed version is older than the most recent version; if so, then it requests a binary using the provided URL, as seen in Figure 3.
Real Life. Real News. Real Voices
Help us tell more of the stories that matter Become a founding member
Figure 3. A legitimate communication during an update check of the ASUS WebStorage software
Therefore, attackers could trigger the update by replacing these two elements using their own data. This is the exact scenario we actually observed in the wild. As shown in Figure 4, attackers inserted a new URL, which points to a malicious file at a compromised gov.tw domain.
Figure 4. A captured communication during a malicious update of the ASUS WebStorage software
The illustration in Figure 5 demonstrates the most likely scenario used to deliver malicious payloads to targets through compromised routers.
Figure 5. Man-in-the-middle attack scenario
The deployed Plead sample is a first-stage downloader. Once executed, it downloads the fav.ico file from a server, whose name mimics the official ASUS WebStorage server: update.asuswebstorage.com.ssmailer[.]com
The downloaded file contains an image in PNG format and data used by the malware, which is located right after PNG data. Figure 6 depicts the specific byte sequence (control bytes) the malware searches for, and then it uses the next 512 bytes as an RC4 encryption key in order to decrypt the rest of the data.
Figure 6. The data used by the Plead malware in the downloaded PNG file
The decrypted data contains a Windows PE binary, which can be dropped and executed using one of the absolute filenames and paths:
- %APPDATA%MicrosoftWindowsStart MenuProgramsStartupslui.exe
- %APPDATA%MicrosoftWindowsStart MenuProgramsStartupctfmon.exe
By writing itself to the Start Menu startup folder, the malware gains persistence – it will be loaded each time the current user logs into the system.
The dropped executable is a second-stage loader, whose purpose is to decrypt shellcode from its PE resource and execute it in memory. This shellcode loads a third-stage DLL, whose purpose is to get an additional module from a C&C server and execute it. The third-stage DLL and downloaded module are thoroughly analyzed by JPCERT and published in their blogpost (referred to there as “TSCookie”).
Attackers are constantly looking for new ways to deliver their malware in a stealthier way. We see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe.
This is why it’s very important for software developers not only to thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks.
ESET researchers notified ASUS Cloud Corporation prior to this publication.
For any inquiries, or to make sample submissions related to this subject, please contact us at [email protected].
|ESET detection names|
|Plead samples (SHA-1)|
|Execution||T1203||Exploitation for Client Execution||BlackTech group exploits a vulnerable update mechanism in ASUS WebStorage software in order to deploy Plead malware in some networks.|
|Persistence||T1060||Registry Run Keys / Startup Folder||Plead malware might drop a second stage loader in the Start Menu’s startup folder.|
|Defense Evasion||T1116||Code Signing||Some Plead malware samples are signed with stolen certificates.|
|Defense Evasion||T1027||Obfuscated Files or Information||Plead malware encrypts its payloads with the RC4 algorithm.|
|Credential Access||T1081||Credentials in Files||BlackTech can deploy a module that steals credentials from the victim’s browser and email clients.|
|Discovery||T1083||File and Directory Discovery||Plead malware allows attackers to obtain a list of files.|
|Discovery||T1057||Process Discovery||Plead malware allows attackers to obtain a list of running processes on a system.|
|Command And Control||T1105||Remote File Copy||Plead malware allows attackers to upload and download files from its C&C.|
|Command And Control||T1071||Standard Application Layer Protocol||Plead malware uses HTTP for communication with its C&C.|
|Exfiltration||T1041||Exfiltration Over Command and Control Channel||Data exfiltration is done using the already opened channel with the C&C server.|
Subscribe to the newsletter news
We hate SPAM and promise to keep your email address safe