Executive summary
channel for launching attacks. Publicly
available reports indicate that attackers have reached a large
number of devices through auto-update software provided with computers from
Taiwanese manufacturer ASUS. In a campaign dubbed “Operation ShadowHammer”,
attackers have compromised the ASUS update infrastructure to deliver backdoored
versions of the Asus Live Update app, which comes preinstalled on ASUS
computers.
as well as malware samples and telemetry. We have consolidated detections of
malicious binaries involved in this attack under the name ShadowHammer.
backdoored version of their updater and implemented enhancements to their
infrastructure. Microsoft continues to investigate this threat and will provide
updates as we get more information.
ASUS has also implemented a fix in the latest version (ver. 3.6.8) of the Live Update software, introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism. At the same time, we have also updated and strengthened our server-to-end-user software architecture to prevent similar attacks from happening in the future.
Additionally, we have created an online security diagnostic tool to check for affected systems, and we encourage users who are still concerned to run it as a precaution. The tool can be found here: https://dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/ASUSDiagnosticTool/ASDT_v1.0.1.0.zip
Users who have any additional concerns are welcome to contact ASUS Customer Service.
More information about APT groups: https://www.fireeye.com/current-threats/apt-groups.html
- How do I know whether or not my device has been targeted by the malware attack?
Only a very small number of specific user group were found to have been targeted by this attack and as such it is extremely unlikely that your device has been targeted. However, if you are still concerned about this matter, feel free to use ASUS’ security diagnostic tool or contact ASUS Customer Service for assistance.
- What should I do if my device is affected?
Immediately run a backup of your files and restore your operating system to factory settings. This will completely remove the malware from your computer. In order to ensure the security of your information, ASUS recommends that you regularly update your passwords.
- How do I make sure that I have the latest version of ASUS Live Update?
You can find out whether or not you have the latest version of ASUS Live Update by following the instructions shown in the link below:
https://www.asus.com/support/FAQ/1018727/
- Have other ASUS devices been affected by the malware attack?
No, only the version of Live Update used for notebooks has been affected. All other devices remain unaffected.
Analysis
the backdoored Asus Live Update app representing at least two generations of
attack code. These generations are marked by samples with shellcode that are
either in plaintext or encrypted. Also, the appearance of these updater
variants corresponds to the validity dates of the certificates used to sign
them.
target specific computers. They contain hardcoded MD5 hashes representing MAC
addresses. They appear to use these hashes to identify targets and determine
whether to deploy additional payloads.
Mitigations
threat. Check the recommendations card for the deployment status of monitored
mitigations.
- Turn on cloud-delivered
protection and automatic sample submission on Windows Defender Antivirus.
These capabilities use artificial intelligence and machine learning to
quickly identify and stop new and unknown threats. - Utilize the Windows
Defender Firewall and your network firewall to prevent RPC and SMB
communication among endpoints whenever possible. This limits lateral
movement as well as other attack activities. - Secure internet-facing
RDP services behind a multi-factor authentication (MFA) gateway. If you
don’t have an MFA gateway, enable network-level authentication (NLA) and
ensure that server machines have strong, randomized local admin passwords. - Customers that have not
installed the ASUS Live Update app are not affected by the known attack
method. Customers can either uninstall this app or get the latest version.
According
to Asus, version 3.6.8 includes a fix and additional mechanisms
that can prevent manipulation of updates. - Utilize Microsoft Edge
or other web browsers that support SmartScreen. SmartScreen has removed
reputation information for the certificates abused during these attacks.
Binaries signed with those certificates will trigger a warning about an
“unrecognized app”.
Detection details
Windows Defender Antivirus
backdoor implants as the following malware:
Endpoint detection and
response (EDR)
Defender Security Center portal can indicate threat activity on your network:
- Malicious binaries
associated with a supply chain attack - Network traffic to
domains associated with a supply chain attack
Advanced hunting
took place from June to November 2018, so some customers might only have
telemetry around this period. To locate related attack activity in the past 30
days, run the following query:
//Event types that may be associated with the implant or container
union ProcessCreationEvents, NetworkCommunicationEvents, FileCreationEvents, ImageLoadEvents
| where EventTime > ago(30d)
//File SHAs for implant and container
| where InitiatingProcessSHA256 in("e01c1047001206c52c87b8197d772db2a1d3b7b4",
"e005c58331eb7db04782fdf9089111979ce1406f", "69c08086c164e58a6d0398b0ffdcb957930b4cf2")
//Download domain
NetworkCommunicationEvents
| where EventTime > ago(30d)
| where RemoteUrl == "asushotfix.com" or RemoteIP == "141.105.71.116"
Change EventTime to focus on a different
period.
Indicators
Files (SHA-1)
- 2c591802d8741d6aef1a278b9aca06952f035b8f
- e01c1047001206c52c87b8197d772db2a1d3b7b4
- 5039ff974a81caf331e24eea0f2b33579b00d854
- 9f0dbf2ba3b237ff5fd4213b65795595c513e8fa
- e793c89ecf7ee1207e79421e137280ae1b377171
- e005c58331eb7db04782fdf9089111979ce1406f
- 4a8d9a9ca776aaaefd7f6b3ab385dbcfcbf2dfff
- fdc7169d7e0a421dfb37ab2a9ecae9c9d5b4b8b2
Malware download URL
- hxxp://asushotfix.com
URLs with compromised
packages
- hxxp://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip
- hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip
- hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip
- hxxps://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip
Abused certificates
ASUSTeK Computer Inc.
Status: This certificate has expired and is no longer valid.
Issuer DigiCert SHA2 Assured ID Code Signing CA
Valid from 12:00 AM 07/27/2015
Valid to 12:00 PM 08/01/2018
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 29935023FF1386F5F0A0355B778B0DFF2022E196
Serial number 0F F0 67 D8 01 F7 DA EE AE 84 2E 9F E5 F6 10 EA
ASUSTeK Computer Inc.
Status: Valid
Issuer DigiCert SHA2 Assured ID Code Signing CA
Valid from 12:00 AM 06/20/2018
Valid to 12:00 PM 06/22/2021
Valid usage Code Signing
Algorithm sha256RSA
Thumbprint 626646D29C5B0E7C53AA84698A4A97BE323CF17F
Serial number 05 E6 A0 BE 5A C3 59 C7 FF 11 F4 B4 67 AB 20 FC
References
- Operation
ShadowHammer. Kaspersky (accessed 2019-03-25) - ShadowHammer: Malicious updates for ASUS laptops.
Kaspersky (accessed 2019-03-25) - Hackers Hijacked ASUS Software Updates to Install
Backdoors on Thousands of Computers. Motherboard (accessed
2019-03-25) - ASUS
response to the recent media reports regarding ASUS Live Update tool
attack by Advanced Persistent Threat (APT) groups. ASUS
(accessed 2019-03-26)