The BlackTech cyber-espionage group has been performing man-in-the-middle (MitM) attacks on the update process of the ASUS WebStorage application to deliver the Plead backdoor to their targeted victims, ESET reports.
The attacks occurred at the end of April 2019 and involved the creation and execution of the Plead backdoor by AsusWSPanel.exe, the legitimate process of the Windows client for ASUS’ cloud storage service.
Featuring the name Asus Webstorage Upate.exe, the executable file was digitally signed by ASUS Cloud Corporation, thus suggesting that the hackers might have had access to the update mechanism, given that AsusWSPanel.exe can create files with such filenames during the software update process.
The compromise, ESET says, could have been either a supply chain attack on the ASUS WebStorage cloud service, or the result of a MitM attack, given that WebStorage binaries are delivered via HTTP during the update process.
Although there have been numerous supply chain incidents recently (such as M.E.Doc and CCleaner) and even ASUS fell victim to such an attack recently, this compromise apparently happened via MitM instead.
The issue is that, in addition to using an unencrypted connection to deliver software updates, the mechanism doesn’t include validation of the downloaded binary before execution.
“Thus, if the update process is intercepted by attackers, they are able to push a malicious update,” ESET points out.
According to the security firm, the hackers are likely comprom ..