ShadowHammer: new attacks on the supply chain threaten hundreds of thousands of ASUS users around the world.
Kaspersky Lab has discovered a new APT campaign that has affected a large number of users. APT is a complex and persistent threat through what is known as an attack on the supply chain. ShadowHammer authors targeted users of the ASUS Live Update utility by injecting a backdoor.
This would have happened at least between June and November 2018. Kaspersky Lab experts estimate the attack would have affected more than one million users worldwide.
Attackers have targeted the ASUS Live Update utility as an initial source of infection. It is preinstalled on most new ASUS computers, for automatic updates of BIOS, UEFI, drivers and applications. Attackers have modified earlier versions of ASUS software by injecting dangerous code. They turned to stolen digital certificates, used by the company to sign legitimate binaries.
“Selected companies are extremely attractive targets for APT groups that would like to take advantage of their vast customer base,” says Vitaly Kamluk, Director of Global Research and Analysis Team, APAC, Kaspersky Lab. “It is not yet clear what was the final target of the attackers and we are still investigating who was behind the attack. However, the techniques used to execute the unauthorized code and other discovered artifacts suggest that ShadowHammer is probably related to BARIUM APT, which was previously associated with the ShadowPad and CCleaner incidents, among others, “he added.
Trojan versions of the utility were signed with legitimate certificates and were hosted and distributed by the legitimate ASUS update servers. This made them virtually invisible for most protection solutions.
How was the attack on ASUS software
Each backdoor code contained a hardcoded MAC address table – the unique identifier of the network adapters used to connect a computer to a network. Once it runs on the victim’s device, the backdoor checks its MAC address in this table. If the MAC address matches one of the entries, the malware downloads the next stage of the infected code. Otherwise, the infiltrated updater does not display any network activity, which is why it has remained uncovered for so long.
In total, security experts could identify more than 600 MAC addresses. These were targeted to over 230 unique backdoor samples with different shellcodes.
The modular approach and additional precautions taken indicate that it was very important for the attackers to remain undetected. They managed to hit well-defined targets with surgical precision. The technical analysis shows that the arsenal of attackers is very advanced and reflects a very high level of development within the group.
In theory, every user of the affected software could have become a victim. However, ShadowHammer’s authors focused on the access of hundreds of users they had previous knowledge about.
The search for similar malware has revealed the software from three other Asian suppliers. They all used very similar methods and techniques. Kaspersky Lab reported the issue to Asus and other vendors.
All Kaspersky Lab products detect and block the malware used in ShadowHammer.
Kaspersky Lab recommends implementing the following measures:
- In addition to mandatory endpoint protection, deploy a corporate security solution. It detects in an early stage advanced network threats;
- For endpoint detection, investigation, and timely resolution of incidents, we recommend implementing EDR solutions such as Kaspersky Endpoint Detection and Response or contacting a specialized incident response team;
- Integrate threats information feeds into SIEM systems and other security controls to access the most relevant and up-to-date threats data and prepare for future attacks.