Security researchers at Eset have reported that Asus’ online WebStorage cloud service has been used to distribute malware thanks to a security flaw in the desktop client’s automatic updater. By exploiting an insecure HTTP connection and faulty code signing checks, attackers were able to distribute and execute software that installs a backdoor known as Plead on affected computers. The Plead malware is a simple backdoor that infects PCs and then downloads additional malware, which is added to the Windows startup routine so that it is executed every time the infected PC is booted up.
According to Eset, the malware was discovered on computers in Taiwan belonging to its clients, and the issue could be far more widespread. Beginning in April, the company started detecting infected files being downloaded automatically onto PCs by the Asus WebStorage updater, which is a legitimate Windows background service. The attackers were able to trick the software into downloading the malware from a compromised Taiwanese government server rather than a genuine update from Asus’s own servers. Asus’ software was not verifying the digital signatures of the updates it received, according to Eset reseracher Anton Cherepanov.
Eset says it notified Asus about the issue before going public with the information. In response, Asus has published a notice on its WebStorage site, saying it shut down the WebStorage update server as a precaution, and has since implemented new security measures, but recommends that users run their own virus scans immediately to be sure that they are safe.
Eset is still investigating the case, and believes that the attackers did not use the same method as the supply-chain attack that leveraged Asus’ Live Update software and potentially infected over a million users earlier this year. However, the Asus WebStorage servers are not being used as command and control servers for the new malware, and the updater continued to receive legitimate Asus files during this time.
The more likely scenario is a man-in-the-middle method, where the attackers are able to interfere with communication between servers and computers, and substitute legitimate data for the malware. Eset researchers also suspect that compromised routers might have been used, as many of the affected clients were using Asus routers which allow remote access to their admin control panels over the Internet.
Trend Micro, another anti-malware vendor, has previously associated the Plead backdoor with a malicious group called BlackTech, which is known to have conducted online espionage in Asia.