Operation ShadowHammer targets gaming companies in addition to ASUS

Researchers discovered that ASUS was not the only company that was affected by ShadowHammer supply chain attack

Researchers uncovered that ASUS was not the only company affected by ShadowHammer hack: at least three game developing firms targeted

Kaspersky Labs security researchers published a report^[1] that provided more details about the Operation SahdowHammer – a sophisticated hacking attack that replaced original, digitally signed ASUS Live Update installers and infected tens of thousands of users with backdoor malware.^[2]

According to research, the dangerous attack did not only affect the tech giant ASUS, but also the gaming industry. Three different gaming companies were found distributing digitally signed binaries that would bypass any type of security software and install the same backdoor payload that came from ASUS Live Update.

ESET,^[3] which covered the incident back in March, noted that the infected user count was the highest in Asian countries, with the most substantial portion of infections coming from Thailand. Considering the popularity of the malicious game installers, which included the popular first-person shooter Point Blank, the infection count might reach “the tens or hundreds of thousands.”

Considering the scope and the sophistication level of these attacks, researchers believe that these hacks are a part of much larger international operations, which also include the infamous CCleaner^[4] incident:

We believe this to be the result of a sophisticated supply chain attack, which matches or even surpasses the ShadowPad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly the fact that the trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”).

The installed payload seems to be a first-stage malware that simply gains access to the machine and sends the unique ID to a C2 server controlled by hackers. This allows malicious actors to decide which devices to target in the second stage of the attack.

Hackers compromised Microsoft development tools that are used to digitally sign the official installers

Microsoft Visual Studio, which is a popular development tool, was compromised by hackers without the game developers realizing it. The engine is later used to digitally sign the games before they are distributed to the public, which consequently leads legitimate companies distributing the malicious installers that are bypassing security software protection on the victims' computers. This proves that hackers are escalating their attacks, as in the ASUS case (which is now fixed), only the update files were tampered with and then compromised servers used for the distribution of malware.

Kaspersky researchers say that this type of attack is highly underestimated and many developers are not aware of their tools being backdoored in the first place. Firms use trojanized tools to create malicious executables without knowing it, which leads to both users, as well as security software, trusting them.

Nevertheless, it is yet unknown how hackers managed to corrupt the development tools in the first place. Among theories, researchers include pirated versions of the software, as well as targeted network breach attacks against specific companies.

As for the infected count, Kaspersky security tools detected around 92,000 infections so far, with 55 percent coming from Thailand, 13 from Taiwan and 13 from Philipines, while the rest of the affected are from Vietnam, Hong Kong and Indonesia. Despite these numbers, experts believe that the scope is much broader, as many use outdated, insufficient or no security tools.

Infestation: Survivor Stories and Point Blank among the titles gamers should be wary of

Researchers discovered that South Korean game developer Zepetto Co., which is behind a popular FPS game Point Blank, was among the three companies that were affected by the hack. Kaspersky researchers noted that the digital certificate was still unrevoked in early April, although the company stopped using it since February.

Another victim affected by ShadowHammer was Electronics Extreme Company Limited, Thailand-based developer. The affected title is Infestation: Survivor Stories (or The War Z), which is a post-apocalyptic zombie survival game. However, there is a lot of contraversy surround it, as the source code for the game was stolen in 2013 and released to public. The project was then taken on by other companies, including the bad actors who then released a compromised version of the game. Kaspersky Lab said they found at least three trojanized samples that included valid certificates that belong to Electronics Extreme Company Limited.

Gaming industry is huge, and, as profits, as well as amount of people dedicated to it grows, hackers' interests will not subside either. Several other instances prove that: both mega popular Fortnite and Apex Legends battle royale games were affected, as bad actors offered fake mobile versions of the game, and offered unfair in-game advantage with cheats^[5] that also installed malware on the computer.