ASUS tool infected by Operation ShadowHammer

Kaspersky Lab has discovered a new Advanced Persistent Threat (APT) campaign that has affected more than one million users through an ASUS software supply chain attack. The investigation revealed that the actors behind the threat called Operation ShadowHammer, have targeted some users of the pre-installed ASUS Live Update Utility, injecting through this software a backdoor into their computers, at least between June and November 2018.

Malware was only running on machines whose MAC address was in a list of addresses located in the code. In total, Kaspersky has found about 600 different MAC addresses among 200 samples collected from the backdoor, although the list could be larger, and confirms that more than 57,000 customers were affected.

ASUS has published an official statement in which they make available to users a new version of the software with security enhancements, plus a diagnostic tool to check if the systems are affected.

[Update 25/04/2019] Subsequent research has determined that Asian suppliers Electronics Extrem, Innovative Extremist and Zepetto have also been affected by this threat, and in these cases information related to usernames, computer specifications and operating system versions has been collected. It could also be used to download the malicious load from command and control servers, so unlike the ASUS case, the list of potential victims was not limited to a list of MAC addresses.