Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Hackers Exploit ASUS Update Process to Install Backdoor

The BlackTech cyber-espionage group has been performing man-in-the-middle (MitM) attacks on the update process of the ASUS WebStorage application to deliver the Plead backdoor to their targeted victims, ESET reports.

The BlackTech cyber-espionage group has been performing man-in-the-middle (MitM) attacks on the update process of the ASUS WebStorage application to deliver the Plead backdoor to their targeted victims, ESET reports.

The attacks occurred at the end of April 2019 and involved the creation and execution of the Plead backdoor by AsusWSPanel.exe, the legitimate process of the Windows client for ASUS’ cloud storage service. 

Featuring the name Asus Webstorage Upate.exe, the executable file was digitally signed by ASUS Cloud Corporation, thus suggesting that the hackers might have had access to the update mechanism, given that AsusWSPanel.exe can create files with such filenames during the software update process. 

The compromise, ESET says, could have been either a supply chain attack on the ASUS WebStorage cloud service, or the result of a MitM attack, given that WebStorage binaries are delivered via HTTP during the update process. 

Although there have been numerous supply chain incidents recently (such as M.E.Doc and CCleaner) and even ASUS fell victim to such an attack recently, this compromise apparently happened via MitM instead. 

The issue is that, in addition to using an unencrypted connection to deliver software updates, the mechanism doesn’t include validation of the downloaded binary before execution. 

“Thus, if the update process is intercepted by attackers, they are able to push a malicious update,” ESET points out. 

According to the security firm, the hackers are likely compromising routers and leverage access to these devices to perform MitM attacks. The Plead malware operators were said before to be focusing on router compromise and ESET discovered that most of the organizations affected in the recent attacks have routers made by the same producer, with admin panels accessible from the Internet. 

“Thus, we believe that a MitM attack at the router level is the most probable scenario,” ESET’s security researchers say. 

The update mechanism for ASUS WebStorage, they explain, involves a request sent by the client for an update, to which the server responds in XML format, with a guid and a link included in the response. The software then checks if the installed version is older, based on the information in the guid element, and requests the update binary via the provided link. 

“Therefore, attackers could trigger the update by replacing these two elements using their own data. This is the exact scenario we actually observed in the wild. [The] attackers inserted a new URL, which points to a malicious file at a compromised gov.tw domain,” ESET notes. 

The attackers serve a first-stage downloader that fetches a fav.ico file from a server, to drop the second-stage loader that is also written to the Start Menu startup folder. The loader executes shellcode in memory to load a third-stage DLL, which has been detailed before as TSCookie.

“We see that supply-chain and man-in-the-middle attacks are used more and more often by various attackers all around the globe. This is why it’s very important for software developers not only to thoroughly monitor their environment for possible intrusions, but also to implement proper update mechanisms in their products that are resistant to MitM attacks,” ESET concludes. 

Related: Hackers Using Stolen D-Link Certificates for Malware Signing

Related: Supply Chain Attacks Nearly Doubled in 2018: Symantec

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Cybercrime

CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.

Cyberwarfare

Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.