ShadowHammer Malware Delivered Via ASUS Updates

Cybersecurity firm Kaspersky Lab revealed that computer manufacturer ASUS was unwittingly used to install a malicious backdoor onto thousands of its computers last year. Hackers had previously compromised one of ASUS’ live software update servers, and distributed malware disguised as authentic software updates from the company. The backdoor, dubbed “Operation ShadowHammer,” was delivered to customers for at least 5 months before its discovery.

Kaspersky researchers estimate that while half a million Windows computers received the bogus update via ASUS’s server, hackers only targeted about 600 systems. These were identified and located via MAC addresses, after which malware was configured to install additional software.

This attack reflects the increasing trend toward so-called ‘supply-chain’ attacks, where hackers target systems during manufacture or assembly. Vendor software updates are also at risk, as users tend to trust software coming from their computer or OS manufacturer. Previous similar attacks include the infamous Flame spy tool in 2012, in which the Windows Update tool was redirected to a malicious server controlled by the attackers, and an attack through the CCleaner software updater in 2017.

Few of the systems affected by ShadowHammer are based in the United States, according to records from Kaspersky and Symantec. Still, this attack shows significant planning and sophistication on the attackers’ part. While infecting thousands of systems when you’re only interested in a few may seem like overkill, this malware still provides a possible backdoor to all affected machines for future exploitation.

ASUS has released an updated version of its Live Update software that resolves the ShadowHammer vulnerability in response, and has announced steps to improve its backend server security to head off similar future attacks. Instructions on updating Live Update can be found here. While chances are small that your system has been affected, ASUS also recommends using their security diagnostic tool to identify possible issues to address security concerns.

For more information on Operation ShadowHammer and how it was discovered, check out this detailed breakdown on Motherboard. Kaspersky has published technical details on the attack on its website.  Lifehacker put out a concise guide to identifying whether your system has been affected, and how to remove the malware..

For ASUS’ official response, including a download link for their security diagnostic tool, check out their announcement here.

If you have questions about maintaining system security at your facility or how to identify possible malware threats, contact Nodal!