Operation ShadowHammer APT targeted ASUS Live Update Utility

  1. Brink's Avatar
    Posts : 38,040
    64-bit Windows 10 Pro build 18865

    Operation ShadowHammer APT targeted ASUS Live Update Utility

    Earlier today, Motherboard published a story by Kim Zetter on Operation ShadowHammer, a newly discovered supply chain attack that leveraged ASUS Live Update software.

    While the investigation is still in progress and full results and technical paper will be published during SAS 2019 conference in Singapore, we would like to share some important details about the attack.

    In January 2019, we discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to our telemetry, it affected a large number of users.

    ASUS Live Update is an utility that is pre-installed on most ASUS computers and is used to automatically update certain components such as BIOS, UEFI, drivers and applications. According to Gartner, ASUS is the world’s 5th-largest PC vendor by 2017 unit sales. This makes it an extremely attractive target for APT groups that might want to take advantage of their userbase.

    Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide.

    The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.

    We believe this to be a very sophisticated supply chain attack, which matches or even surpasses the Shadowpad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly due to the fact that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers.

    Digital signature on a trojanized ASUS Live Update setup installer
    Certificate serial number: 05e6a0be5ac359c7ff11f4b467ab20fc

    We have contacted ASUS and informed them about the attack on Jan 31, 2019, supporting their investigation with IOCs and descriptions of the malware.

    Although precise attribution is not available at the moment, certain evidence we have collected allows us to link this attack to the ShadowPad incident from 2017. The actor behind the ShadowPad incident has been publicly identified by Microsoft in court documents as BARIUM. BARIUM is an APT actor known to be using the Winnti backdoor. Recently, our colleagues from ESET wrote about another supply chain attack in which BARIUM was also involved, that we believe is connected to this case as well.

    A victim distribution by country for the compromised ASUS Live Updater looks as follows:

    It should be noted that the numbers are also highly influenced by the distribution of Kaspersky users around the world. In principle, the distribution of victims should match the distribution of ASUS users around the world.

    We’ve also created a tool which can be run to determine if your computer has been one of the surgically selected targets of this attack. To check this, it compares MAC addresses of all adapters to a list of predefined values hardcoded in the malware and alerts if a match was found.

    Download an archive with the tool (.exe)

    Also, you may check MAC addresses online. If you discover that you have been targeted by this operation, please e-mail us at: shadowhammer@kaspersky.com


    Kaspersky Lab verdicts for the malware used in this and related attacks:

    • HEUR:Trojan.Win32.ShadowHammer.gen

    Domains and IPs:

    • asushotfix[.]com
    • 141.105.71[.]116

    Some of the URLs used to distribute the compromised packages:

    • hxxp://liveupdate01.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip
    • hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip
    • hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip
    • hxxps://liveupdate01s.asus[.]com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip

    Hashes (Liveupdate_Test_VER365.zip):

    • aa15eb28292321b586c27d8401703494
    • bebb16193e4b80f4bc053e4fa818aa4e2832885392469cd5b8ace5cec7e4ca19

    A full set of IOCs and Yara rules is available to customers of Kaspersky Intelligence Reporting service – contact intelreports@kaspersky.com

    Read more:
      My ComputersSystem Spec

  2. Caledon Ken's Avatar
    Posts : 13,777
    Windows 10 Pro x64 Build 1809

    Thanks for posting. Ran it on our Asus laptop, came up clean.
      My ComputerSystem Spec

  3.    #2

    I have Asus laptop the Asus live update utiity is not installed I check in Programs and Features and there isn't I use the Kaspersky tool and it tells that i am not impacted. In the Esupport folder is present a subfolder with some Asus programs and there is the live update utility set up to install this program I can delete this folder?

    I only use Windows update to update drives
      My ComputerSystem Spec

  4. Brink's Avatar
    Posts : 38,040
    64-bit Windows 10 Pro build 18865
    Thread Starter

    ASUS response to recent media reports regarding ASUS Live Update tool

    ASUS response to the recent media reports regarding ASUS Live Update tool attack by Advanced Persistent Threat (APT) groups

    Advanced Persistent Threat (APT) attacks are national-level attacks usually initiated by a couple of specific countries, targeting certain international organizations or entities instead of consumers.

    ASUS Live Update is a proprietary tool supplied with ASUS notebook computers to ensure that the system always benefits from the latest drivers and firmware from ASUS. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.

    ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.

    Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here: https://dlcdnets.asus.com/pub/ASUS/n...T_v1.0.1.0.zip

    Users who have any additional concerns are welcome to contact ASUS Customer Service.

    More information about APT groups: https://www.fireeye.com/current-threats/apt-groups.html

    How do I know whether or not my device has been targeted by the malware attack?
    Only a very small number of specific user group were found to have been targeted by this attack and as such it is extremely unlikely that your device has been targeted. However, if you are still concerned about this matter, feel free to use ASUS’ security diagnostic tool or contact ASUS Customer Service for assistance.

    What should I do if my device is affected?
    Immediately run a backup of your files and restore your operating system to factory settings. This will completely remove the malware from your computer. In order to ensure the security of your information, ASUS recommends that you regularly update your passwords.

    How do I make sure that I have the latest version of ASUS Live Update?
    You can find out whether or not you have the latest version of ASUS Live Update by following the instructions shown in the link below:
    How do I ensure that my device has the latest and safest version of ASUS Live Update? | Official Support | ASUS Global

    Have other ASUS devices been affected by the malware attack?
    No, only the version of Live Update used for notebooks has been affected. All other devices remain unaffected.

    Source: ASUS Global
      My ComputersSystem Spec

  5. magilla's Avatar
    Posts : 2,264
    Windows 10 and windows insider

    Thanks for info and download - my machine not affected the tool says.
      My ComputerSystem Spec

  6.    #5

    Hackers Get to ASUS Live Update Servers

    Hackers Get to ASUS Live Update Servers, Plant Malware in Thousands of Computers

    Hackers Get to ASUS Live Update Servers, Plant Malware in Thousands of Computers

    by btarunr Yesterday, 03:41 Discuss (42 Comments)
    In a chilling reminder of just why system software should always be manually updated and never automatically, Vice Motherboard citing Kaspersky Labs reports that hackers have compromised the Live Update servers of ASUS, making them push malware to thousands of computers configured to fetch and install updates automatically. These include not just PC motherboards, but also pre-builts such as notebooks and desktops by ASUS. Smartphones and IoT devices by ASUS are also affected. Hackers have managed to use valid ASUS digital certificates to masquerade their malware as legitimate software updates from ASUS.

    Kaspersky Labs says that as many as half a million devices have fallen prey to malware pushed to them by ASUS. The cybersecurity firm says it discovered the malware in January 2019 when implementing a new supply-chain detection technology, and informed ASUS by late-January. Kaspersky even sent a technically-sound representative to meet with ASUS in February. Kaspersky claims that ASUS has since been "largely unresponsive since then and has not notified ASUS customers about the issue." ASUS is already drowning in bad-rep from the PC enthusiast community for its Armoury Crate feature that lets motherboard BIOS push software to a Windows installation through an ACPI table dubbed "the vendor's rootkit," which ASUS enabled by default on new motherboards. Who knows what recent motherboard BIOS updates have pushed into your PC through this method.
    Source: https://www.techpowerup.com/254065/h...s-of-computers

    More: https://betanews.com/2019/03/26/asus...kdoor-malware/
      My ComputerSystem Spec


Related Threads
So basically despite I would have expected a lot of people to have reported this but apparently nobody kind of believe disk IO to be of a significant importance despite we pay dearly just to get an SSD or an Optane drive just because they are faster...
Earlier within two weeks I downloaded that file from the site of Majorgeeks also I saw other sites have the same download too. But I need to know what does this program, NVIDIA Firmware Update Utility (Version 5.469.0) do with the computers? I have...
Solved Driver update Utility in Drivers and Hardware
All: I have a program that wants to update my drivers. It said it found 3 drivers that were outdated & wanted to update them! I said yes with some trepidation, then it asked for my Email address! That's were I stopped & backed out &...
Deleting 374,707 items ... 99% complete <-- what is the remaining 1% ? Time remaining <-- empty, why ? items remaining: 0 (o bytes) <-- why does it never finish delete operation ? Note: with delete command - as with most Windows 10 commands -...
I have an Asus G771JW notebook. Did a clean install of Win 10(after upgrading from 8.1) now whenever I try and search for Intel drivers, it says it can't detect any devices. When I go to manually search for drivers, I'm only offered desktop board...
Our Sites
Site Links
About Us
Windows 10 Forums is an independent web site and has not been authorized, sponsored, or otherwise approved by Microsoft Corporation. "Windows 10" and related materials are trademarks of Microsoft Corp.

© Designer Media Ltd
All times are GMT -5. The time now is 09:33.
Find Us