LTS Secure Warning: MitM & Supply-Chain Mechanism Being Used To Infect Victims With PLEAD Malware

The previously discovered PLEAD backdoor, which made us of D-Link Digital Signature is back to market and now making a connection to legitimate software’s developed by the ASUS Cloud Corporation.

New variant of the malware is created and spread using a process named as AsusWSPanel.exe. This process basically is a cloud storage service called ASUS WebStorage for the Windows Client, which has a digital signature of the ASUS Cloud Corporation.

Once the ASUS Web-Storage software update is requested and it makes use of HTTP to transfer the request. After the update is download and ready to be install, the authenticity check for the update is not being preformed. If an attacker is able to intercept then he can push the malicious update.

Technical Details

The creator of the malware is majorly targeting at the ISP Level and also compromising vulnerable routers and then using them as C&C servers for the malware.

Plead Malware uses and exploits following Vulnerabilities:

• CVE-2015-5119, patched by Adobe – July, 2015
• CVE-2012-0158, patched by Microsoft – April, 2012
• CVE-2014-6352, patched by Microsoft – October, 2014
• CVE-2017-0199, patched by Microsoft – April, 2017

Impact

• Establish a remote shell to hacker.
• Steals saved credentials from browser & Email client.
• Send a list of drives, processes, open windows, and files of victim device.
• Upload/Download files.

Recommended Actions

• Always update your anti-malware solution with the latest releases.
• Run a periodically Full system scan.