ShadowHammer: Malicious updates for ASUS laptops

March 25, 2019

Thanks to a new technology in our products that is capable of detecting supply-chain attacks, our experts have uncovered what seems to be one of the biggest supply-chain incidents ever (remember CCleaner? This one’s bigger). A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels.

The trojanized utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time. The criminals even made sure the file size of the malicious utility stayed the same as that of the original one.

According to our statistics, more than 57,000 users of Kaspersky Lab’s products have installed the backdoored utility, but we estimate it was distributed to about 1 million people total. The cybercriminals behind it were not interested in all of them, however — they targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility. To check if your MAC address is on the target list, use our tool, which you’ll find at https://shadowhammer.kaspersky.com/.

While investigating this attack, we found out that the same techniques were used against software from three other vendors. Of course, we have notified ASUS and other companies about the attack. As of now, all Kaspersky Lab solutions detect and block the trojanized utilities, but we still suggest that you update the ASUS Live Update Utility if you use it. Our investigation is still ongoing.

If you want to learn more about one of the biggest supply-chain attacks ever, dive deep into technical details, see the IOCs, understand who the targets were, and get some advice on how to protect yourself from supply-chain attacks such as this one, we suggest visiting the SAS 2019 — the warmest security conference opens its doors on April 8 in Singapore. There we’ll have a talk dedicated to the ShadowHammer APT with a lot of interesting details. The tickets are almost sold out, so you’d better hurry.

Alternatively, you can read our full report, which will also become available during the SAS, on securelist.com. Stay tuned!