Security vendor Kaspersky has disclosed today a new advanced persistent threat (APT) that it claims to have potentially affected more than a million users of ASUS hardware worldwide. The hackers behind the APT dubbed ShadowHammer allegedly altered the ASUS Live Update Utility and injected a back door to the system between June and November of last year.
That utility is responsible for pushing important software updates to ASUS laptops and desktops. To bypass detection by major security solutions, the hackers signed the modified versions of the utility with legitimate digital certificates stolen from ASUS and pushed the trojanized system to the firm's update servers.
According to Kaspersky's findings, each backdoor code has a list of MAC addresses that would scan for a device's unique MAC address and download a malicious payload onto the computer once a match has been found. Out of the hundreds of thousands of potentially affected devices, only 600 specific MAC addresses were targeted by the malware.
Kaspersky researchers also found three other vendors based in Asia whose software was infected with the same backdoor. Vitaly Kamluk, Director of Global Research and Analysis Team for APAC at Kaspersky Lab, said:
“The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer base. It is not yet very clear what the ultimate goal of the attackers was and we are still researching who was behind the attack. However, techniques used to achieve unauthorized code execution, as well as other discovered artefacts suggest that ShadowHammer is probably related to the BARIUM APT, which was previously linked to the ShadowPad and CCleaner incidents, among others. This new campaign is yet another example of how sophisticated and dangerous a smart supply chain attack can be nowadays."
The company discovered the malware in January and has since reported it to ASUS and the three other unnamed vendors. Full details of ShadowHammer will be presented at Security Analyst Summit 2019 in Singapore from April 9 to 11.