ShadowHammer: New details

April 23, 2019

In our previous post about operation ShadowHammer, we promised more details. Although investigation is still in progress, our researchers are ready to share new details about this sophisticated supply-chain attack.

Scale of operation

As we mentioned before, ASUS was not the only company used by the attackers. Studying this case, our experts found other samples that used similar algorithms. As in the ASUS case, the samples were using digitally signed binaries from three other Asian vendors:

  • Electronics Extreme, authors of the zombie survival game called Infestation: Survivor Stories,
  • Innovative Extremist, a company that provides Web and IT infrastructure services but also used to work in game development,
  • Zepetto, the South Korean company that developed the video game Point Blank.

According to our researchers, the attackers either had access to the source code of the victims’ projects or they injected malware at the time of project compilation, meaning they were in the networks of those companies. And this reminds us of an attack that we reported on a year ago: the CCleaner incident.

Also, our experts identified three additional victims: another video gaming company, a conglomerate holding company and a pharmaceutical company, all in South Korea. For now we cannot share additional details about those victims, because we are in the process of notifying them about the attack.

End goals

In the cases of Electronics Extreme, Innovative Extremist, and Zepetto, compromised software delivered a rather simple payload to the victims’ systems. It was capable of gathering information about the system including usernames, computer specs, and operating system versions. It could also be used to download malicious payload from C&C servers, so unlike in the ASUS case, the list of potential victims was not limited to a list of MAC addresses.

Also, that list of 600-plus MAC address did not limit the targets to 600 (plus); at least one of them belongs to a virtual Ethernet adapter. All users of that device share the same MAC address.

You can get more technical details from this post on Securelist.

How to avoid becoming a link in a supply-chain attack

The common thread through all of the abovementioned cases is that attackers got valid certificates and compromised their victims’ development environments. Therefore, our experts recommend software vendors introduce another procedure into their software production process that additionally checks their software for potential malware injections even after the code is digitally signed.

To prevent attacks like those, you need experienced threat hunters with expertise — and we have it. With the Targeted Attack Discovery service, our experts will help you to identify current cybercriminal and cyberespionage activity in your network, and to understand the reasons behind and possible sources of these incidents. Additionally, we can provide Kaspersky Managed Protection — around-the-clock monitoring and continuous analysis of cyberthreat data. To learn more about our security analysts’ detection of advanced threats, visit the Kaspersky Threat Hunting page.