Unknown attackers have compromised an update server belonging to Taiwanese computer and electronics maker ASUS and used it to push a malicious backdoor on a huge number of customers, Kaspersky Lab researchers discovered.
Judging by information hard-coded in the malware, the attackers’ aim was to compromise about 600 specific computers, but the malware it thought to have been ultimately delivered to over a million of users.
Asus Live Updater was used in a big supply chain attack we dubbed Operation #ShadowHammer. We estimate this may have affected over 1 million computer users between June and Nov 2018. https://t.co/jTij3NwpSs
— Costin Raiu (@craiu) March 25, 2019
Kaspersky Lab researchers, who discovered the malware in January 2019 and notified ASUS of the situation, have created a tool users can use to check whether they were among those who installed the trojanized update. They can also perform the same check by entering their ASUS device’s MAC address into this online tool.
How did it all happen?
Kaspersky Lab researchers say that the attack unfolded between June and November 2018 and involved the ASUS Live Update Utility, which comes pre-installed on most ASUS computers and is used to automatically update certain components such as BIOS, UEFI, drivers and applications.
“The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation,” the researchers shared.
“We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.”
The researchers have notified ASUS of the compromise but say that the company denied that their signing infrastructure has been compromised. (Kaspersky Lab’s findings were independently verified by Symantec.)
The researchers told Kim Zetter that it seems that the attacker did not have access to the whole ASUS infrastructure, just part of the signing infrastructure.
Also, that they might have achieved that access via a 2017 supply chain attack that resulted in the delivery of a backdoored version of the popular CCleaner utility.
In both that and this case, the attackers infected a large number of devices but were apparently after very specific targets.
The group is also believed to be the same one behind the ShadowPad incident from 2017, which was another supply chain attack that involved backdoored server management software used by hundreds of large businesses around the world.
About the malware
The researchers have analyzed the backdoored ASUS Live Update Utility, which was signed with a compromised, valid ASUS certificate. They discovered that, when it found itself on one of the 600 or so targeted machines, it would contact a C&C server and download a second-stage backdoor. Unfortunately, they have not been able to get their hands on that.
They believe that the entire operation remained secret for so long because even though the backdoored ASUS utility was installed on hundreds of thousands of devices, it would do nothing if the device was not on the predefined list.
Still, it does effectively open a backoor into the system, so ASUS device owners are advised to check whether they have installed it and contact Kaspersky Lab for assistance if they have.