[German]Users who installed the ASUS Live Update Utility on their computers were probably infected between June and November 2018 with a backdoor. According to Gartner, ASUS was the 5th largest computer manufacturer in 2017, and the number of people affected is correspondingly high (estimated at 1 million). For a long time, the backdoor was not detected by common virus protection solutions. Luck for many victims: The attackers had specific targets in mind which were spied on via this backdoor.
Attack on ASUS utility
Kaspersky Lab discovered a new Advanced Persistent Threat (APT) campaign in January 2019 – and made it public today. This campaign probably affected users who downloaded the ASUS Live Update Utility on their computers between June and November 2018.
Asus Live Updater was used in a big supply chain attack we dubbed Operation #ShadowHammer. We estimate this may have affected over 1 million computer users between June and Nov 2018. https://t.co/jTij3NwpSs
— Costin Raiu (@craiu) 25. März 2019
The GReAT team (Global Research and Analysis) from Kaspersky Lab named this vicious campaign ShadowHammer. Kim Zetter of Motherboard reported that the deposited version of the ASUS Live Update was downloaded and installed by more than 57,000 Kaspersky users. However, the research team estimates that a much larger number of users are affected, with a total of over one million infected computers.
ASUS utility infected in a supply chain attack
ASUS Live Update is a utility that is preinstalled on most ASUS computers and is used to automatically update certain components, such as BIOS, UEFI, drivers, and applications. Such a component is a found food for any attacker.
A successful supply chain attack for such a tool is one of the most dangerous and effective infection vectors used in advanced operations in recent years (as seen in ShadowPad or CCleaner). Such an attack attempts to exploit specific weaknesses in the interconnected systems of all those involved in the product lifecycle. While the infrastructure of a vendor such as ASUS can often be described as secure, there may be vulnerabilities in the facilities of sub-suppliers or in the transfer interfaces.
If the attacker managed it, infecting the manufacturer’s supply chain, the infected software is rolled out to a large number of devices. The actors behind ShadowHammer targeted the ASUS Live Update Utility as the first source of infection. ASUS pre-installs this tool on its machines.
Using stolen digital certificates used by ASUS to sign legitimate binary files, attackers manipulated older versions of ASUS software and injected their own malicious code into a backdoor. Trojan versions of the utility were then signed with legitimate certificates, hosted on official ASUS update servers, and then distributed.
Blind antivirus solutions, special targeted victims
This distribution channel via the manufacturer made the compromised software largely invisible to the vast majority of protection solutions, as Kaspersky writes. Possibly the ‘protection solutions’ could be deceived by the digital signature.
Theoretically, the infection would have meant that potentially any user could have become a victim of the affected software. But the actors behind ShadowHammer focused on gaining access to several hundred users. The attackers already knew about these users.
Researchers at Kaspersky Lab found that each backdoor code contained a table of hard-coded MAC addresses – the unique identifiers of network adapters used to connect a computer to a network. Once executed on a victim’s device, the backdoor checked the MAC address of the device against a table. If the MAC address matched one of the entries, the malware downloaded the next level of malicious code.
Otherwise, the infiltrated updater showed no network activity. Therefore, the infection of the utility remained undetected for so long. In total, Kaspersky’s security experts identified more than 600 MAC addresses. These were addressed by over 230 unique backdoor modules, each with a different shell code.
The modular approach and the additional precautions taken in executing the backdoor code show that it was very important for the actors behind this challenging attack to remain undetected. At the same time, the actors pursued some very specific approaches to hit the targets with surgical precision. An in-depth technical analysis shows that the arsenal of attackers is very developed and reflects a very high level of development of the actors.
The search for similar malware has revealed software from three other vendors in Asia, all infected with very similar methods and techniques. Kaspersky Lab has reported the problem to Asus and the other vendors.
“The selected vendors are extremely attractive targets for APT groups that want to leverage their large customer base. It is not yet clear what the ultimate target of the attackers was, and we are still investigating who is behind the attack. However, the techniques for obtaining unauthorized code execution and other artifacts discovered suggest that ShadowHammer is likely to be related to the BARIUM APT that was previously associated with the ShadowPad and CCleaner incidents, among others. This new campaign is another example of how demanding and dangerous an attack on a supply chain can be today,” said Vitaly Kamluk, Director of Global Research and Analysis Team, APAC, Kaspersky Lab.
What users can do
For users of the ASUS Live update utility on their Windows systems, the question is what can be done to avoid becoming the victim of a targeted attack. Kaspersky proposes the following measures::
- Implement not only an essential antivirus solution (endpoint protection), but also an enterprise-wide security solution that detects advanced network layer threats at an early stage. The Kaspersky Anti Targeted Attack Platform is one example.
- Kaspersky security researchers recommend implementing EDR solutions such as Kaspersky Endpoint Detection and Response or contacting a professional incident response team to detect, investigate and resolve incidents in a timely manner;
- Integrate threat intelligence feeds into your SIEM and other security controls to gain access to the most relevant and up-to-date threat data and prepare for future attacks.
Kaspersky has also provided an offline utility and an online web checker. The tools allow users to check whether their computers have been infected by ShadowHammer. The offline tool has to be unpacked locally and reports if you are infected (but I get a message that there is no infection due to the lack of ASUS computers).
With the Online Web Checker you have to enter the MAC address in a form and get the feedback if it is considered by the backdoor (see screenshot). The steps to determine the MAC address via ipconfig /all can be retrieved via a web link in the Web Checker form.
Kaspersky Lab will present the complete results of Operation ShadowHammer at the Security Analyst Summit 2019 in Singapore from 9 to 11 April. (via)
Addedum: ASUS Live Update Utility 3.6.8 and Check Tool
ASUS has released version 3.6.8 of the ASUS Live Update Utility which no longer has this backdoor. Details can be found on this ASUS website. In this statement, ASUS discusses the subject, mentions the new version 3.6.8 of the ASUS Live Update Utility and a check tool that allows you to check the system for a compromised version with the backdoor. The tool is available via this file ASDT_v126.96.36.199.0.zip. (via)
Addendum 2: See my further reading Backdoor: ASUS has been warned about risks since months