That’s as bad as it can get. Hackers gained access to update server and could sign their malware with ASUS signature key. Two things that should never happen.
Some people on reddit spotted that suspicious update, but could not tell what it was doing. It was signed by ASUS, so most decided it should be fine.
Wow, did I read that correctly? ASUS Web Storage.exe, as part of its self-upgrade process, downloads over http(!) a json file containing a link to an arbitrary binary, and executes it, no questions asked on your PC…
The ASUS WebStorage software is vulnerable to a man-in-the-middle attack (MitM). Namely, the software update is requested and transferred using HTTP; once an update is downloaded and ready to execute, the software doesn’t validate its authenticity before execution. Thus, if the update process is intercepted by attackers, they are able to push a malicious update.