A latest backdoor threat to computer systems dropped and propagated via software updates is making rounds these days. Essentially a supply-chain attack, Operation ShadowHammer, targets ASUS systems specifically through its Live Update Utility through backdoor deployment. It is suspected that a China backed Advanced Persistent Threat (APT) actor is connected to this malicious scheme.
The threat spectrum isn’t small, as the ASUS Live Update Utility is pre-installed in newly shipped ASUS systems. This is required for BIOS, drivers and general updates. The attackers have compromised this utility by getting their hands on stolen digital certificates used by ASUS to sign genuine binaries, and edited an older version of ASUS software by inserting the malicious code in it. This compromised utility was then signed with legitimate certificates and then distributed from the official ASUS platform. This rendered them practically invisible even to sophisticated endpoint security solutions.
While this implies that all users running the software would be affected, the malicious actors seem only to be interested in a specific category of users, something typical of APTs. It was revealed that around 600 Media Access Control (MAC) addresses were contained in the backdoor code to match them with the infected physical system. Once a match would be established, the next tranche of malicious code would be sent. On the other hand, a negative match would render the malware dormant. It is still unclear if the residing backdoor remains a threat to the host systems, or some other line of action may be taken by attackers in future.
Researchers have sampled 230 such backdoors and, after analyzing them, found that they are designed in a modular form and multiple precautionary measures have been kept in place to prevent code or data leakage. Such a cautious approach signals that the attackers placed prime importance in covering their tracks and identities while hitting targets with surgical precision.
Kaspersky lab has reported that the campaign started in June 2018 and may have infected more than a million users globally. It appears, however, that the attackers are only interested in specific users in Asia.
THE SHADOWPAD ATTACK
Experts have since unmasked the digital footprints of this attack by scrutinizing techniques used for this unauthorized code execution, and they lead to a Chinese state player, known as BARIUM. It is also goes by other names: APT17, Axiom and Deputy Dog. It has also emerged that the same entity has previously been linked to CCleaner and ShadowPad supply-chain attacks, which were essentially operating on a similar attack pattern – system software updates.
ShadowPad attack was launched in 2017 in which the update mechanism for a Korean server management software, NetSarang, was compromised to open up a backdoor. The company, which has its headquarters in the US, was able to detect and remove the implanted backdoor update timely, yet, it managed to sneak into at least one system in Hong Kong and got activated.
In another such incident, a reliable software, CCleaner, had its software updates compromised by the ShadowPad backdoor exposing millions of systems worldwide. However, true to their form the attackers were only interested in a handful of infected systems including companies. The infected machines then had keyloggers and data harvesting codes installed on them via the backdoor.