Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Hackers Exploit ASUS Update Process to Install Backdoor

The BlackTech cyber-espionage group has been performing man-in-the-middle (MitM) attacks on the update process of the ASUS WebStorage application to deliver the Plead backdoor to their targeted victims, ESET reports.

The BlackTech cyber-espionage group has been performing man-in-the-middle (MitM) attacks on the update process of the ASUS WebStorage application to deliver the Plead backdoor to their targeted victims, ESET reports.

The attacks occurred at the end of April 2019 and involved the creation and execution of the Plead backdoor by AsusWSPanel.exe, the legitimate process of the Windows client for ASUS’ cloud storage service. 

Featuring the name Asus Webstorage Upate.exe, the executable file was digitally signed by ASUS Cloud Corporation, thus suggesting that the hackers might have had access to the update mechanism, given that AsusWSPanel.exe can create files with such filenames during the software update process. 

The compromise, ESET says, could have been either a supply chain attack on the ASUS WebStorage cloud service, or the result of a MitM attack, given that WebStorage binaries are delivered via HTTP during the update process. 

Although there have been numerous supply chain incidents recently (such as M.E.Doc and CCleaner) and even ASUS fell victim to such an attack recently, this compromise apparently happened via MitM instead. 

The issue is that, in addition to using an unencrypted connection to deliver software updates, the mechanism doesn’t include validation of the downloaded binary before execution. 

“Thus, if the update process is intercepted by attackers, they are able to push a malicious update,” ESET points out. 

According to the security firm, the hackers are likely compromising routers and leverage access to these devices to perform MitM attacks. The Plead malware operators were said before to be focusing on router compromise and ESET discovered that most of the organizations affected in the recent attacks have routers made by the same producer, with admin panels accessible from the Internet. 

“Thus, we believe that a MitM attack at the router level is the most probable scenario,” ESET’s security researchers say. 

The update mechanism for ASUS WebStorage, they explain, involves a request sent by the client for an update, to which the server responds in XML format, with a guid and a link included in the response. The software then checks if the installed version is older, based on the information in the guid element, and requests the update binary via the provided link. 

“Therefore, attackers could trigger the update by replacing these two elements using their own data. This is the exact scenario we actually observed in the wild. [The] attackers inserted a new URL, which points to a malicious file at a compromised domain,” ESET notes. 

The attackers serve a first-stage downloader that fetches a fav.ico file from a server, to drop the second-stage loader that is also written to the Start Menu startup folder. The loader executes shellcode in memory to load a third-stage DLL, which has been detailed before as TSCookie.

“We see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe. This is why it’s very important for software developers not only to thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks,” ESET concludes. 

Related: Hackers Using Stolen D-Link Certificates for Malware Signing

Related: Supply Chain Attacks Nearly Doubled in 2018: Symantec

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.


Security researchers with Juniper Networks’ Threat Labs warn of a new Python-based backdoor targeting VMware ESXi virtualization servers.