When there wasn’t a match, the affected machines didn’t show any kind of suspicious activity. If it found a match, the next phase of the attack was executed – connecting back to the attacker’s servers and downloading the second malicious payload.
The attackers were able to sign their malicious code inside the update with legitimate ASUS certificates. A table of MAC addresses was hardcoded into the backdoor and it checked whether the victim’s machine’s MAC address matched with an entry in the same table. When software updates are sent to end users, they are signed or authenticated with official ASUS certificates (a form of digital authentication token) to verify that the update is genuine. About 57,000 Kaspersky users downloaded and installed the malicious update. Kaspersky has now released some of the technical details of the attack and it plans on presenting the full technical paper at its Security Analyst Summit to be held between 8-11 April. The company came across the hack in January and reported it to ASUS but customers weren’t notified about it.
Kaspersky believes the malware is like the previous ShadowPad and CCleaner attacks, which were also supply-chain attacks. In these types of attacks, malicious software is delivered or deployed directly to users through trusted channels, in this case, directly using ASUS’ Live Update tool. This attack was first reported by Motherboard.
ASUS Hack: What happened?ĭubbed as the 'ShadowHammer attack' by Kaspersky Lab, it falls under what is called a supply chain attack. However, only about 600 machines were actively targeted by hackers. The hackers were able to affect an estimated half a million ASUS machines.
Cybersecurity researchers at Kaspersky Lab confirmed that the attack was carried out in 2018 between June and November. The attackers breached the official servers and cloaked the malicious code inside the software that was then deployed to end users.
Hackers were able to successfully install malware in ASUS laptops running Windows using the ASUS’ own Live Update software update tool. This includes the consumer solution range." Update: We had reached out to Kaspersky Lab to confirm whether their security solutions will be able to detect the ShadowHammer malware henceforth. Costin Raiu, Director of Global Research and Analysis Team (GReAT), Kaspersky Lab said, "All Kaspersky Lab products successfully detect and block the malware used in Operation ShadowHammer, which is a new advanced persistent threat (APT) campaign discovered that has affected users through what is known as a supply chain attack.