Last year, a group of state-sponsored hackers cracked the ASUS Live software update server in the period between June and November 2018 and implanted malicious updates installing backdoors on more than one million Windows computers worldwide.
How did Operation ShadowHammer unfold?
According to Kaspersky Lab, which discovered the attack and dubbed it “Operation ShadowHammer,” Asus was informed about the ongoing attack along its supply chain on January 31, 2019.
According to the researchers, half a million Windows computers received the malicious backdoor through the ASUS update server. The researchers learned that the hackers did not target all users, only a specific list of 600 users identified by their unique MAC addresses that were hard-coded into the malware. Once in the system and having found one of the target MAC addresses, the malware accessed the command and control server on which the attackers worked and downloaded additional malicious software on these machines.
The attackers used two different ASUS digital certificates to sign their malware. One of them expired in mid-2018 and the attackers switched to the second ASUS legitimate certificate to sign their malware.
How does the ASUS Live Update Backdoor work?
The malicious file transmitted to client computers had the name “setup.exe” and was intended to be an update of the update tool itself. In fact, it was a three-year ASUS update file released in 2015 that the attackers combined with malicious code before signing it with a legitimate ASUS certificate. On the dashboard, you have everything you need to manage your blog in one place. You can create new posts, set categories and more. To head to your Dashboard, open the Wix Editor and click on Blog > Posts.
According to Kaspersky Lab, the attackers released it to users in the period from June through 2018. Using the old binary file with an effective certificate means that the attackers had access to the server where ASUS signed its files, but not to the build server that complied new ones. Since the attackers used the same ASUS binary file every time, this indicates that they did not have access to the entire ASUS infrastructure, but only to the part that generated the signature.
ASUS delivered its legitimate software updates to customers during the period when malware was released, but these legitimate updates were signed by another certificate that used an enhanced verification protection scheme, more difficult to reproduce.
These malicious pieces of code contained hard-coded MD5 hash values which turned out to be unique MAC addresses for network adapters. If a match was found with any of the 600 target MAC addresses, the malware contacted asushotfix.com disguised as an authentic ASUS site to retrieve the second stage backdoor and download it to the system.
Who is behind the operation ShadowHammer?
The researchers did not attribute the attack to any APT group active at the moment, but some evidence linked the latest attack to the ShadowPad incident in 2017, which Microsoft attributed to the BARIUM APT authors. ShadowPad was intended for a Korean company that produced enterprise server administration software. The same group was also associated with the attack on CCleaner. Although millions of computers were infected with the CCleaner malware update, the second-stage backdoor similar to the one uploaded to the ASUS victims was loaded into a subset of these computers only.
Symantec reported that the company identified malware on more than 13,000 computers that had antivirus software installed.
According to Kaspersky Lab, the malicious version of ASUS Live Update was transmitted and installed on at least 57,000 systems. Most of the victims, according to Kaspersky, come from Russia, Germany, France, Italy and the United States.
Kaspersky Lab released a special standalone tool and launched an online page (https://shadowhammer.kaspersky.com) where ASUS users can find their MAC addresses to check if they are on the “infected” list.
However, many believe that for large enterprises with hundreds of thousands of systems, this is not a convenient way to find out whether their systems are infected or not.
To solve this problem and help other cybersecurity experts continue their hunt, the technical director of the Australian security service Skylight, Shahar Zini released a complete list of nearly 583 MAC addresses (https://skylightcyber.com/2019/03/28/unleash-the- hash-shadowhammer-mac-list/ list.txt).
Skylight researchers obtained a list of target MAC addresses, using a standalone tool released by Kaspersky, which contains a complete list of 619 MAC addresses in an executable file, but is protected with the salted hash algorithm.
They used a powerful Amazon server and a modified version of the HashCat password cracking tool to retrieve 583 MAC addresses in less than an hour.