ASUS WebStorage misused by Plead malware MitM attacks at router level

[Brink]

ESET researchers have discovered that the attackers have been distributing the Plead malware via compromised routers and man-in-the-middle attacks against the legitimate ASUS WebStorage software.

In July 2018 we discovered that the Plead backdoor was digitally signed by a code-signing certificate that was issued to D-Link Corporation. Recently we detected a new activity involving the same malware and a possible connection to legitimate software developed by ASUS Cloud Corporation.

The Plead malware is a backdoor which, according to Trend Micro, is used by the BlackTech group in targeted attacks. The BlackTech group is primarily focused on cyberespionage in Asia.

The new activity described in this blogpost was detected by ESET in Taiwan, where the Plead malware has always been most actively deployed.

What has happened?

At the end of April 2019, ESET researchers utilizing ESET telemetry observed multiple attempts to deploy Plead malware in an unusual way. Specifically, the Plead backdoor was created and executed by a legitimate process named AsusWSPanel.exe. This process belongs to the Windows client for a cloud storage service called ASUS WebStorage...

Read more:

• Plead malware distributed via MitM attacks at router level, misusing ASUS WebStorage | WeLiveSecurity
• ASUS WebStorage abused to spy on users at the router level | ZDNet