Supply chain attack campaign ‘Operation ShadowHammer’ targets ASUS Laptop users with backdoors

• Operation ShadowHammer campaign has impacted over 1 million users who have downloaded the backdoored ASUS Live Update Sofware on their systems.
• The Operation ShadowHammer campaign surpasses the ShowPad and CCleaner attacks in complexity and techniques.

What is the issue - Researchers from Kaspersky observed a new campaign dubbed ‘Operation ShadowHammer’ that targets the supply chain by exploiting the backdoored version of ASUS Live Update Software.

Kaspersky Lab’s Global Research and Analysis Team (GReAT) who observed the campaign in January 2019, noted that the campaign took place between June and November 2018.

Why it matters - Operation ShadowHammer campaign has impacted over 1 million users who have downloaded the backdoored ASUS Live Update Sofware on their systems.

GReAT noted that the ASUS Live Update has been downloaded and installed by over 57000 Kaspersky users.

What is ASUS Live Update - ASUS Live Update is a utility which comes reinstalled on ASUS systems is used to ensure that apps, drivers, BIOS, and UEFI are automatically updated.

The big picture

Kaspersky researchers noted that there were multiple versions of infected ASUS Live Update binaries distributed with the attackers targeting ‘unknown pool of users, which were identified by their network adapters’ MAC addresses’.

The attackers behind Operation ShadowHammer hardcoded a list of MAC addresses in the backdoored samples to detect the actual targets of the campaign.

The researchers noted that they were able to extract over 600 MACs from over 200 samples used in this campaign.

Worth noting

• The Operation ShadowHammer campaign surpasses the ShowPad and CCleaner attacks in complexity and techniques.
• GReAT noted that the evidence they collected reveals that this Operation ShadowHammer campaign is linked to the threat actor BARIUM who is responsible for the ShadowPad attack in 2017.
• The victims are primarily from Russia, Germany, and France, followed by Italy, the US, Spain, Poland, the UK, Switzerland, Portugal, Canada, Taiwan, Australia, Japan, and Brazil.

Kaspersky notified Asus on January 31, 2019, about the supply chain attack targeting the ASUS Live Update utility. The cybersecurity firm also provided ASUS with details of the malware used in the campaign and IOCs.

“We’ve also created a tool which can be run to determine if your computer has been one of the surgically selected targets of this attack. To check this, it compares MAC addresses of all adapters to a list of predefined values hardcoded in the malware and alerts if a match was found," researchers wrote.