Delaware, USA – April 24, 2019 – New details about the operation ShadowHammer affecting tens of thousands of systems around the world have published. Experts of Kaspersky Lab linked the distribution of the trojanized ASUS Live Updater to the supply-chain attack by the infamous Chinese Winnti group, in addition, they found three more victims of the campaign in South Korea: a pharmaceutical company, a conglomerate holding company, and one more videogame company. In early March, the ESET team discovered a campaign spreading backdoors along with popular video games, most of its victims were located in Asia. Two weeks later, Kaspersky Lab reported the first details about ShadowHammer operation and the MAC address list of attackers ’interest. The evidence found allowed the campaign to be linked not only with ESET’s findings but also with the earlier supply-chain attack distributing ShadowPad backdoor via compromised NetSarang software. In all cases, the adversaries injected a malicious component into a properly signed executable, which allowed for months to avoid detection by anti-virus solutions. It was also confirmed that some users detected the suspicious behavior of ASUS Live Updater, but scanning with available tools and uploading executable to VirusTotal did not help to recognize the threat.
The use of stolen valid digital certificates makes it almost impossible to detect malware by standard means. Thus, it is also necessary to monitor suspicious activity and atypical behavior of processes. APT Framework rule pack uses statistical profiling and behavioral analysis and helps SIEM to detect APT activity using the methodology of Cyber Kill Chain: https://my.socprime.com/en/integrations/apt-framework-arcsight