ASUS WebStorage abused to spy on users at the router level

Vulnerable software is potentially facilitating surveillance and data theft.

Asus ZenBook Pro 15 Without being the greatest laptop ever seen, Asus gets points for trying something new in ScreenPad. Hopefully it sticks with it.

The ASUS WebStorage system is being actively abused to perform Man-in-The-Middle (MiTM) attacks, researchers say.

ESET researcher Anton Cherepanov published a report detailing attack vectors related to WebStorage, ASUS's cloud storage service, on Tuesday.

According to the team, the Plead malware may be being distributed through MiTM attacks taking place against ASUS software.

Plead is a malware variant which specializes in data theft through a combination of the Plead backdoor and Drigo exfiltration tool.

Plead is known to spread through public exploits such as CVE-2015-5119, CVE-2012-0158, and CVE-2014-6352, but in July 2018, ESET researchers also found that the malware was being distributed through a code-signing certificate stolen from D-Link.

The malware has been connected to BlackTech, a cyberespionage group which is believed to be operating in Asia and has been linked to attacks against targets in Taiwan, Japan, and Hong Kong.

ESET says that new activity has been tracked involving Plead and ASUS software. Discovered in Taiwan, the Plead malware is now being created and executed by the legitimate AsusWSPanel.exe process, which is used in Windows to operate ASUS WebStorage.

See also: Hijacked ASUS Live Update software installs backdoors on countless PCs worldwide

All samples observed by ESET use the filename ASUS Webstorage Upate.exe.

The team says that as Plead deploys, the downloader is able to pull a fav.ico file from a server which mimics the official ASUS WebStorage server. This malicious file is then decrypted by Plead and another executable is dropped which is able to decrypt additional shellcode for execution in memory.

The shellcode loads a .DLL file which pulls modules from a command-and-control (C2) server for execution. Known as TSCookie and also connected to BlackTech, the malware is able to steal data including operating system information and user credentials.  

CNET: WhatsApp flaw let attackers install spyware with a phone call

In one scenario, MiTM attacks can be performed at the router level, an attack vector which would be difficult to detect and may lead to the loss of data or browser session tampering & redirection.

As ASUS WebStorage is updated through HTTP, these requests are not validated for authenticity before execution. This, in turn, suggests that update processes can be intercepted by attackers and are vulnerable to exploit.

"Therefore, attackers could trigger the update by replacing these [elements] using their own data," the team says. "This is the exact scenario we actually observed in the wild."

ESET also suggests that users of the ASUS cloud service may be susceptible to supply chain-based attacks, made possible through the HTTP ASUS update mechanism to pull independent forms of malware onto a victim device.

TechRepublic: Cybersecurity burnout: 10 most stressful parts of the job

However, there is no evidence that ASUS WebStorage servers are being used as malicious C&C servers or have served malicious binaries themselves.

The security researchers have notified the vendor of the firm's findings. ESET has provided Indicators of Compromise (IoC), available here.

In related news this week, over 25,000 Linksys Smart Wi-Fi routers were found to be leaking sensitive information including MAC addresses, device names, and configuration settings. The problem is due to a flaw first disclosed in 2014 and does not appear to have been patched on all impacted routers.

ZDNet has reached out to ASUS with additional queries and will update if we hear back.

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0