Security experts have uncovered a sophisticated new APT campaign which may have infected more than one million Asus users via a backdoored utility.
Kaspersky Lab revealed that the group behind Operation ShadowHammer focused their efforts on a supply chain attack of the sort seen in recent years affecting legitimate software from CCleaner and ShadowPad.
They targeted the Asus Live Update Utility, which is virtually ubiquitous among newer models from the Asian computer giant. Trojanized versions of the utility were signed with legitimate certificates and distributed from official Asus servers, allowing it to remain undetected.
However, while the initial backdoor may have been unwittingly installed over a million times, the hackers were actually after a much smaller group of targets. Only those belonging to a group of several hundred users received a second-stage malware download, once the threat had checked their MAC address against a hardcoded list.
In total, Kaspersky Lab said it was able to identify 600 MAC addresses targeted by over 230 unique backdoored samples with different shellcodes.
Three other computer vendors in Asia have been targeted in a similar manner, and subsequently notified by the Russian AV firm. It believes a China-related APT group behind the Winnti backdoor is the prime suspect.
“The selected vendors are extremely attractive targets for APT groups that might want to take advantage of their vast customer base. It is not yet very clear what the ultimate goal of the attackers was and we are still researching who was behind the attack,” said Vitaly Kamluk, Kaspersky’s APAC director of the global research and analysis team.
“However, techniques used to achieve unauthorized code execution, as well as other discovered artifacts suggest that ShadowHammer is probably related to the BARIUM APT, which was previously linked to the ShadowPad and CCleaner incidents, among others. This new campaign is yet another example of how sophisticated and dangerous a smart supply chain attack can be nowadays."