ASUS Live Update Utility hacked to deliver ShadowHammer backdoor malware to a million systems
Kaspersky Lab reports that the software update system used by ASUS was hijacked by hackers and used to deliver a backdoor-laden piece of malware to users. The company estimates that around a million users may have been affected by what it describes as "one of the biggest supply-chain incidents ever".
Back in January, the security firm discovered that a threat actor interfered with the ASUS Live Update Utility, adding a backdoor to it. Signed with an official ASUS certificate and carefully crafted to be precisely the same size as the official tool, the malware -- dubbed ShadowHammer -- went unnoticed for some time.
See also:
- Kaspersky reports Apple to antimonopoly authorities over the handling of its apps
- Hackers are exploiting critical WinRAR bug exposed last month
- Want to hack an iPhone? Cellebrite hacking tools are available on eBay
- Microsoft reveals Russian hacking attacks as it expands AccountGuard protection across Europe
It is thought that the malware campaign -- news of which was first shared by Motherboard -- was originally intended to target just a handful of people. Kaspersky says that just 600 MAC addresses appear to have been of interest to the criminals behind the hack. But the company found that over 57,000 users of its security software had the backdoored version of the ASUS utility installed, leading to the extrapolation that around a million people may have been affected in total.
Writing on the its SecureList blog, Kaspersky reveals more about the malware campaign:
The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters' MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.
We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: "ASUSTeK Computer Inc."). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers.
Kaspersky discovered the malware earlier in the year after adding a new supply-chain detection technology to its scanning software. It seems that ASUS was not the only victim of this type of attack, as the Russian security firm explains:
While investigating this attack, we found out that the same techniques were used against software from three other vendors. Of course, we have notified ASUS and other companies about the attack. As of now, all Kaspersky Lab solutions detect and block the trojanized utilities, but we still suggest that you update the ASUS Live Update Utility if you use it. Our investigation is still ongoing.
ASUS has not commented on the matter.