Kaspersky Lab researchers made an alarming discovery. ASUS, one of the biggest computer makers, was used to install a malicious backdoor on customers’ machines.
The installation took place last year after hacker compromised a server for the maker’s live software update tool. It appears that the malicious file was signed with legitimate ASUS certificates, making it look like authentic software updates issues by the company.
Malicious Backdoor Installed on Half a Million ASUS Computers
According to Kaspersky researchers, half a million Windows computers were affected by the malicious backdoor via the ASUS update server. It is curious to note that the attackers seem to have been targeting only about 600 of these systems, making the attack targeted. The malicious operation used the machines’ MAC addresses to target them successfully. After the malware sneaked into a system, it communicated with the command-and-control server, which then installed more malware.
The attack was discovered in January, shortly after Kaspersky added a new supply-chain detection technology to its scanning tool. It appears that the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference, Kaspersky said in their report which revealed some technical details about the attack. The attack itself has been dubbed ShadowHammer.
The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.
The researchers contacted ASUS and informed them about the attack on Jan 31, 2019, supporting their investigation with IOCs and descriptions of the malware. “We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques,” the researchers said.