Among Many ASUS Was One of ShadowHammer Target
ShadowHammer hacking operation infiltrated at least six other organizations and ASUS was one of them.
As further found out by Kaspersky’s security researchers, ASUS’ supply chain was compromised by trojanizing ASUS Live Updater, which eventually was downloaded and installed on the computers of thousands of customers according to experts’ estimations.
The attackers tampered with binaries and broke the digital signature using a legitimate certificate and having the malicious updater flagged.
The researchers were able to find that ASUS was not the only company which got its IT infrastructure infiltrated during Operation ShadowHammer. A number of other malware samples that employed similar algorithms were also signed with valid and legitimate certificates. The newly found ones and the ASUS samples were both using similar algorithms to calculate API function hashes. The PHLPAPI.dll was heavily used within all malware samples for various reasons.
Electronics Extreme, Innovative Extremist, and Zepetto, besides these three Asian gaming companies, Kaspersky was also able to find three other organizations which were successfully compromised, “another video gaming company, a conglomerate holding company and a pharmaceutical company, all in South Korea.”
In the cases of the three Asian vendors, the threat actors were able to drop a malicious payload, designed to collect system information and download extra payloads from its command-and-control (C&C) server.
However, the researchers are in the process of alerting them that they were also attacked by Operation ShadowHammer.
After getting installed on the victims’ computers, the trojanized games used as malware droppers will first check if a number of traffic/processor monitoring tools are running or if the system language is set to Simplified Chinese or Russian and, if both available then, the backdoor will automatically stop the execution.
If successful, the malware starts collecting system info (Network adapter MAC address, System username, System hostname and IP address, Windows version, CPU architecture, Current host FQDNm, Domain name, Current executable file name, Drive C: volume name and serial number, Screen resolution, and System default language ID).
All the info is sent to the C&C server via HTTP with a POST request and the backdoor will then send a GET request with the purpose of receiving commands.
The following commands were discovered:
- DownUrlFile – download URL data to file
- DownRunUrlFile – download URL data to file and execute it
- RunUrlBinInMem – download URL data and run as shellcode
- Uninstall – set the registry flag to prevent malware start
The UnInstall command sets the registry value
HKCU\SOFTWARE\Microsoft\Windows\{0753-6681-BD59-8819} to 1, which blocks the malware from contacting the C2 again. No files are deleted from the disk and can be recovered through forensic analysis.
This time, the researchers also found out that the ShadowPad backdoor used in Operation ShadowHammer now employs editable Google docs for C&C communication.
As discovered by Kaspersky, “ShadowHammer reused algorithms in multiple malware samples, including PlugX, which is a popular backdoor among Chinese-speaking hacker groups
After the ShadowHammer attack, ASUS also confirmed the hacking incident and stated that “only the version of Live Update used for notebooks has been affected,” with all other devices not being affected by the supply chain attack.
ASUS users can also check if their notebooks have been targeted in the attack with the help of offline checkers provided by ASUS and Kaspersky, or the online web checker available on Kaspersky’s website.
On the other hand, software vendors are advised by Kaspersky’s research team to “introduce another procedure into their software production process that additionally checks their software for potential malware injections even after the code is digitally signed.”
The researchers also stated that “how many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism.”
Source: https://www.bleepingcomputer.com/news/security/shadowhammer-targets-multiple-companies-asus-just-one-of-them/
Related Resources:
Hacker Group Has Been Hacking DNS Traffic on D-Link Routers