BlackTech Group Abuses ASUS WebStorage to Install Plead Malware

Delaware, USA – May 17, 2019 – Adversaries conduct a cyber espionage campaign in Asia region abusing ASUS WebStorage software to infect their victims with a backdoor. At the end of April, ESET researchers uncovered a campaign distributing Plead malware in Taiwan and noted an unusual way of spreading malware associated with the BlackTech hacker group that usually attacks government organizations and private companies in the region. The most likely infection scenario is the man-in-the-middle attack at the router level since the BlackTech group previously carried out attacks on routers and then used them in their operations. In addition, most of the victims had routers from the same manufacturer and they could be accessed via the Internet. The adversaries intercepted the update request from ASUS WebStorage and forced legitimate software to download a file from the compromised government site. After downloading a malicious update, ASUS WebStorage software installs the Plead backdoor loader without any additional checks. The Malware collects information about the system and files, can execute commands and upload files, and it is also equipped with a specialized module for exfiltration of documents via Google drive.

In addition, the researchers do not completely exclude the supply-chain attack variant, as the Winnti group recently distributed malware using trojanized ASUS Live Updater. Supply-chain attacks, as well as man-in-the-middle attacks, are difficult to spot in time, and more and more hacker groups are switching to these techniques. To uncover sophisticated attacks with existing tools in your organization, you can use APT Framework that uses different methods of statistical profiling and behavioral analysis to allow the most efficient use of the technologies, such as IDS / IPS, FW, Proxy, Anti-virus, Vulnerability Scanners, etc.