Operation ShadowHammer Hits Asus Users

Delaware, USA – March 26, 2019 – The new supply chain attack targets ASUS users who downloaded the Live Update software from the official website. The investigation is currently ongoing, but researchers from Kaspersky Lab have published an interim report detailing this campaign dubbed Operation ShadowHammer. Unidentified APT group modified the legitimate version of the ASUS Live Update on the company’s official server in the second half of last year. The backdoored version of software update was signed by a stolen legitimate certificate and exactly matched in size with a valid file, so the operation remained for a long time out of the sight of security researchers. The special conditions for activating the malicious component also helped it to stay stealthy: after installation, it checked the victim’s MAC address, and if it matched the address from the hard-coded list, the second stage payload was downloaded from the command and control server. Currently, researchers discovered about 600 MAC addresses that are of interest to adversaries. To check whether you are the target of Operation ShadowHammer, please follow the link: https://shadowhammer.kaspersky.com/

Kaspersky Lab recorded 57,000 systems with the backdoored update utility installed, and researchers from Symantec discovered an additional 13,000+ systems with the same version of the malformed utility. The actual number of installations can go up to a million. Today, ASUS released a fix to protect affected users and a tool to detect possible infections. Supply channel compromises are extremely difficult to detect and respond to timely, while threat actors can conduct both highly targeted attacks (like this one) and destructive outbreaks (like NotPetya attack). To protect against sophisticated attacks, it is necessary to use advanced tools such as APT Framework that adds sophistication to your existing tools and connects the dots between low-level SIEM incidents linking them to high-confidence compromises: https://my.socprime.com/en/integrations/apt-framework-arcsight