In July 2018, we discovered that the Plead backdoor was digitally signed with a code signing certificate issued by D-Link Corporation. We recently detected a possible link between the same malware and legitimate software developed by ASUS Cloud Corporation.
According to TrendMicro, the Plead malware is a backdoor used by the BlackTech group in targeted attacks. The BlackTech group is mainly focused on cyber espionage activities in the Asian continent.
The new activity described in this blog post was detected by ESET in Taiwan, where the Plead malware is most actively distributed.
So what happened?
Using ESET telemetry in late April 2019, ESET researchers observed multiple unusual attempts to distribute this malware. To elaborate, the Plead backdoor was created and executed by a legitimate process called AsusWSPanel.exe.
This process belongs to a cloud storage service client named ASUS WebStorage. The executable is digitally signed by ASUS Cloud Corporation.
All observed Plead instances have the filename: Asus Webstorage Upate.exe. Our research has confirmed that ASUS WebStorage’s AsusWSPanel.exe module may create files with such filenames during the software update process.
There are several possible explanations for why legitimate software might spawn and run the Plead malware.
You can access the full article written by Anton Cherepanov at the link here.