Friday, March 29, 2019

A Compromised the ASUS update infrastructure through auto-update software is causing a supply chain attack

Executive summary

The software supply chain continues to be a popular channel for launching attacks. Publicly available reports indicate that attackers have reached a large number of devices through auto-update software provided with computers from Taiwanese manufacturer ASUS. In a campaign dubbed “Operation ShadowHammer”, attackers have compromised the ASUS update infrastructure to deliver backdoored versions of the Asus Live Update app, which comes preinstalled on ASUS computers.

Microsoft is actively investigating available reports as well as malware samples and telemetry. We have consolidated detections of malicious binaries involved in this attack under the name ShadowHammer.

ASUS has indicated that they have replaced the backdoored version of their updater and implemented enhancements to their infrastructure. Microsoft continues to investigate this threat and will provide updates as we get more information.
ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.
Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here:
Users who have any additional concerns are welcome to contact ASUS Customer Service.

More information about APT groups:

  • How do I know whether or not my device has been targeted by the malware attack?
  • Only a very small number of specific user group were found to have been targeted by this attack and as such it is extremely unlikely that your device has been targeted. However, if you are still concerned about this matter, feel free to use ASUS’ security diagnostic tool or contact ASUS Customer Service for assistance.
  • What should I do if my device is affected?
  • Immediately run a backup of your files and restore your operating system to factory settings. This will completely remove the malware from your computer. In order to ensure the security of your information, ASUS recommends that you regularly update your passwords.
  • How do I make sure that I have the latest version of ASUS Live Update?
  • You can find out whether or not you have the latest version of ASUS Live Update by following the instructions shown in the link below:
  • Have other ASUS devices been affected by the malware attack?
  • No, only the version of Live Update used for notebooks has been affected. All other devices remain unaffected.


Our ShadowHammer detections center around variants of the backdoored Asus Live Update app representing at least two generations of attack code. These generations are marked by samples with shellcode that are either in plaintext or encrypted. Also, the appearance of these updater variants corresponds to the validity dates of the certificates used to sign them.
The backdoored updaters might have been designed to target specific computers. They contain hardcoded MD5 hashes representing MAC addresses. They appear to use these hashes to identify targets and determine whether to deploy additional payloads.


Apply these mitigations to reduce the impact of this threat. Check the recommendations card for the deployment status of monitored mitigations.
  • ​Turn on cloud-delivered protection and automatic sample submission on Windows Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
  • Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
  • Secure internet-facing RDP services behind a multi-factor authentication (MFA) gateway. If you don't have an MFA gateway, enable network-level authentication (NLA) and ensure that server machines have strong, randomized local admin passwords.
  • Customers that have not installed the ASUS Live Update app are not affected by the known attack method. Customers can either uninstall this app or get the latest version. According to Asus, version 3.6.8 includes a fix and additional mechanisms that can prevent manipulation of updates.
  • Utilize Microsoft Edge or other web browsers that support SmartScreen. SmartScreen has removed reputation information for the certificates abused during these attacks. Binaries signed with those certificates will trigger a warning about an “unrecognized app”.

Detection details

Windows Defender Antivirus
Windows Defender Antivirus detects trojanized apps and backdoor implants as the following malware:
Endpoint detection and response (EDR)
Alerts with the following titles in the Windows Defender Security Center portal can indicate threat activity on your network:
  • Malicious binaries associated with a supply chain attack
  • Network traffic to domains associated with a supply chain attack
Advanced hunting
Publicly available reports indicate that this attack took place from June to November 2018, so some customers might only have telemetry around this period. To locate related attack activity in the past 30 days, run the following query:
​//Event types that may be associated with the implant or container
union ProcessCreationEvents, NetworkCommunicationEvents, FileCreationEvents, ImageLoadEvents
| where EventTime > ago(30d)
//File SHAs for implant and container
| where InitiatingProcessSHA256 in("e01c1047001206c52c87b8197d772db2a1d3b7b4", 
"e005c58331eb7db04782fdf9089111979ce1406f", "69c08086c164e58a6d0398b0ffdcb957930b4cf2")
​//Download domain
| where EventTime > ago(30d)
| where RemoteUrl == "" or RemoteIP == ""
The provided query checks events from the past 30 days. Change EventTime to focus on a different period.


Files (SHA-1)
  • 2c591802d8741d6aef1a278b9aca06952f035b8f
  • e01c1047001206c52c87b8197d772db2a1d3b7b4
  • 5039ff974a81caf331e24eea0f2b33579b00d854
  • 9f0dbf2ba3b237ff5fd4213b65795595c513e8fa
  • e793c89ecf7ee1207e79421e137280ae1b377171
  • e005c58331eb7db04782fdf9089111979ce1406f
  • 4a8d9a9ca776aaaefd7f6b3ab385dbcfcbf2dfff
  • fdc7169d7e0a421dfb37ab2a9ecae9c9d5b4b8b2
Malware download URL
  • hxxp://
URLs with compromised packages
  • hxxp://
  • hxxps://
  • hxxps://
  • hxxps://
Abused certificates
ASUSTeK Computer Inc. 
Status: This certificate has expired and is no longer valid.
Issuer DigiCert SHA2 Assured ID Code Signing CA
Valid from 12:00 AM 07/27/2015
Valid to 12:00 PM 08/01/2018
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 29935023FF1386F5F0A0355B778B0DFF2022E196
Serial number 0F F0 67 D8 01 F7 DA EE AE 84 2E 9F E5 F6 10 EA
ASUSTeK Computer Inc. 
Status: Valid
Issuer DigiCert SHA2 Assured ID Code Signing CA
Valid from 12:00 AM 06/20/2018
Valid to 12:00 PM 06/22/2021
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 626646D29C5B0E7C53AA84698A4A97BE323CF17F
Serial number 05 E6 A0 BE 5A C3 59 C7 FF 11 F4 B4 67 AB 20 FC


Sites to check if your device has been targeted
Thanks to various sources for this information including  ASUS, Fireeye,  and Susan E Bradley