LTS Secure Warning: MitM & Supply-Chain Mechanism Being Used To Infect Victims With PLEAD Malware

The previously discovered PLEAD backdoor, which made us of D-Link Digital Signature is back to market and now making a connection to legitimate software’s developed by the ASUS Cloud Corporation.

New variant of the malware is created and spread using a process named as AsusWSPanel.exe. This process basically is a cloud storage service called ASUS WebStorage for the Windows Client, which has a digital signature of the ASUS Cloud Corporation.

Once the ASUS Web-Storage software update is requested and it makes use of HTTP to transfer the request. After the update is download and ready to be install, the authenticity check for the update is not being preformed. If an attacker is able to intercept then he can push the malicious update.

 

Technical Details

The creator of the malware is majorly targeting at the ISP Level and also compromising vulnerable routers and then using them as C&C servers for the malware.

Plead Malware uses and exploits following Vulnerabilities:

  • CVE-2015-5119, patched by Adobe – July, 2015
  • CVE-2012-0158, patched by Microsoft – April, 2012
  • CVE-2014-6352, patched by Microsoft – October, 2014
  • CVE-2017-0199, patched by Microsoft – April, 2017

 

Impact

  • Establish a remote shell to hacker.
  • Steals saved credentials from browser & Email client.
  • Send a list of drives, processes, open windows, and files of victim device.
  • Upload/Download files.

Recommended Actions

  • Always update your anti-malware solution with the latest releases.
  • Run a periodically Full system scan.

 

LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013

Leave us a messages Leave us a messages

← Prev Step

Thanks for contacting us. We'll get back to you as soon as we can.

Please provide a valid name, email, and question.

Powered by LivelyChat
Powered by LivelyChat Delete History