CONFERENCE Cyber AI & Automation Summit - NOW LIVE
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hackers Exploit ASUS Update Process to Install Backdoor

The BlackTech cyber-espionage group has been performing man-in-the-middle (MitM) attacks on the update process of the ASUS WebStorage application to deliver the Plead backdoor to their targeted victims, ESET reports.

The BlackTech cyber-espionage group has been performing man-in-the-middle (MitM) attacks on the update process of the ASUS WebStorage application to deliver the Plead backdoor to their targeted victims, ESET reports.

The attacks occurred at the end of April 2019 and involved the creation and execution of the Plead backdoor by AsusWSPanel.exe, the legitimate process of the Windows client for ASUS’ cloud storage service. 

Featuring the name Asus Webstorage Upate.exe, the executable file was digitally signed by ASUS Cloud Corporation, thus suggesting that the hackers might have had access to the update mechanism, given that AsusWSPanel.exe can create files with such filenames during the software update process. 

The compromise, ESET says, could have been either a supply chain attack on the ASUS WebStorage cloud service, or the result of a MitM attack, given that WebStorage binaries are delivered via HTTP during the update process. 

Although there have been numerous supply chain incidents recently (such as M.E.Doc and CCleaner) and even ASUS fell victim to such an attack recently, this compromise apparently happened via MitM instead. 

The issue is that, in addition to using an unencrypted connection to deliver software updates, the mechanism doesn’t include validation of the downloaded binary before execution. 

“Thus, if the update process is intercepted by attackers, they are able to push a malicious update,” ESET points out. 

According to the security firm, the hackers are likely compromising routers and leverage access to these devices to perform MitM attacks. The Plead malware operators were said before to be focusing on router compromise and ESET discovered that most of the organizations affected in the recent attacks have routers made by the same producer, with admin panels accessible from the Internet. 

Advertisement. Scroll to continue reading.

“Thus, we believe that a MitM attack at the router level is the most probable scenario,” ESET’s security researchers say. 

The update mechanism for ASUS WebStorage, they explain, involves a request sent by the client for an update, to which the server responds in XML format, with a guid and a link included in the response. The software then checks if the installed version is older, based on the information in the guid element, and requests the update binary via the provided link. 

“Therefore, attackers could trigger the update by replacing these two elements using their own data. This is the exact scenario we actually observed in the wild. [The] attackers inserted a new URL, which points to a malicious file at a compromised gov.tw domain,” ESET notes. 

The attackers serve a first-stage downloader that fetches a fav.ico file from a server, to drop the second-stage loader that is also written to the Start Menu startup folder. The loader executes shellcode in memory to load a third-stage DLL, which has been detailed before as TSCookie.

“We see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe. This is why it’s very important for software developers not only to thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks,” ESET concludes. 

Related: Hackers Using Stolen D-Link Certificates for Malware Signing

Related: Supply Chain Attacks Nearly Doubled in 2018: Symantec

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

Video platform Vimeo has appointed Ryan Weeks as Chief Information Security Officer.

LPL Financial has welcomed Renana Friedlich as Chief Information Security Officer.

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.