Operation ShadowHammer: ASUS Live Update software pushed malware

Hackers hijacked updates propagated via ASUS Live Update Utility to install backdoors on thousands of users' PCs

Operation ShadowHammer ASUSOperation ShadowHammer: hackers managed to hijack ASUS Live Update to insert backdoor into users' computers

ASUS, one of the biggest multinational computer hardware manufacturers in the world, was recently abused by cybercriminals to install backdoor malware on thousands of computers worldwide. Kaspersky Lab researchers first discovered the sophisticated attack, dubbed ShadowHammer, back in January 2019.

According to the report published by security experts,[1] the compromise occurred during five months last year, between June and November and affected more than a million people around the world, with 57,000 detections stemming form Kaspersky security solutions software. The scale of the attack reaches a bit less than half of the one that occurred back in 2017 when cybercriminals managed to spread a malicious version of CCleaner that installed Floxif malware.[2]

ASUS Live Update is software that is pre-installed on most of the computers produced by the company. Considering that ASUS is on the most popular computer manufacturers around the world, the idea of being able to install malware onto users' machines using its software can be extremely attractive to hackers.

Hackers initially targeted 600 unique Mac addresses but ended up infecting more than a million devices

Researchers say that the complexity and sophistication level of the attack might even surpass the CCleaner or the Shadowpad[3] one. The intrusion was carefully planned and remained undetected for over six months.

Among the reasons why the activity remained unnoticed for so long, experts name valid certificate of the file, signed by “ASUSTeK Computer Inc” and the fact that malicious updates were hosted on a legitimate ASUS server – liveupdate01s.asus.com and liveupdate01.asus.com.

According to Kaspersky experts, only 600 MAC addresses were used in the initial attack, but resulted in much more infections (MAC address is the unique identifier used for network adapter):

<…> the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.

ASUS did not want to accept the server compromise

The ShadowHammer was reported to the industry giant back in January 31st, which was followed by a meeting between Kaspersky analyst and ASUS representatives on February 14th. Nevertheless, it seems like ASUS was not in a hurry to accept the fact that their software is compromising thousands of users machines and, since the meeting, not much has been done.

Kaspersky experts are not the only ones that are analyzing the attack, however. According to an article by Motherboard,[4] the incident is also being investigated by reputable security vendor Symantec. Currently, the firm claims that over 13,000 of its customers were affected by the malicious backdoor that was transferred via the compromised ASUS servers.

The ordeal came to light due to the new investigation techniques implemented by security vendors. It relates to the analyze of supply-chain attacks that allow the attackers to install malware during the manufacturing process of the hardware, pre-installation of software or later via trusted business channels. Vendor software updates are perfect tools that can be used to propagate malicious software on thousands of users' computers, all while remaining undetected.

According to Kaspersky, most of its affected customers came from Russia (18%), while Symantec reported the majority of the infected were from the US. The experts noted:

It should be noted that the numbers are also highly influenced by the distribution of Kaspersky users around the world. In principle, the distribution of victims should match the distribution of ASUS users around the world.

ASUS is not the only company that came under scrutiny after compromising users' security. Back in 2014, Lenovo distributed Superfish adware that allowed hackers to exploit secure HTTPS connections to monitor traffic, redirect users to dangerous sites and corrupt computers' performance drastically. This resulted in a $7.3 million settlement plus another $3.5 million paid a year earlier.[5]

About the author
Ugnius Kiguolis
Ugnius Kiguolis - The mastermind

Ugnius Kiguolis is a professional malware analyst who is also the founder and the owner of 2-Spyware. At the moment, he takes over as Editor-in-chief.

Contact Ugnius Kiguolis
About the company Esolutions