Notebookcheck Logo

Operation ShadowHammer: Tens of thousands of computers had a security backdoor installed via Asus' Live Update Utility

Operation Shadowhammer
Operation Shadowhammer
Kaspersky Labs earlier today wrote about an attack they discovered in January that compromised Asus' Live Update Utility. The attack affected 57,000 Kaspersky customers and may have hit as many as 500,000 computers around the world. Dubbed "Operation ShadowHammer," the attack injected a Trojan into the Live Update Utility and used authentic Asus software certificates to install itself onto targeted systems.

Most PC OEMs are known for including apps and utilities that are pre-installed on the computers they ship out to consumers. While most of these are minor annoyances, a group of hackers found some use in one of Asus’ pre-installed software packages. In what is being called ”Operation ShadowHammer,” these hackers were able to attach malware to Asus’ Live Update Utility that opened a backdoor on affected systems.

Researchers at security firm Kaspersky Lab discovered the attack in January of this year. The research team is still investigating the exact scope of the attack, dubbed “Operation ShadowHammer.” The attack took place between June 2018 and November 2018 and has affected at least 57,000 Kaspersky users. Kaspersky currently estimates that over 500,000 Windows computers have been affected.

The attack involved injecting a Trojan into a compromised Asus server and attaching it to legitimate Asus software that carried an authentic digital signature. This attack was used to open a backdoor on a targeted set of systems, identified by specific MAC addresses hard-coded into the malware.

The attack is reminiscent of two similar hacks that involved compromising trusted software bearing authenticate certificates. While most hacks use methods to run “unsigned,” or unverified, code on a target machine, Operation ShadowHammer (and the two previous attacks similar to this one) compromised trusted software. This made the attacks fly under the radar for long periods of time.

Kaspersky reached out to Asus on January 31st to notify the company of the issue. Researchers then met with Asus on February 14th, but Kaspersky told Motherboard that the 5th largest PC manufacturer has largely been unresponsive. According to Kaspersky, the two Asus certificates used in ShadowHammer are still valid and could be used for future injections.

Kaspersky has a tool you can use to check if your computer was one of those targeted in this attack. You can find it at their site here. If your computer has indeed been compromised, contact Kaspersky Labs at [email protected].

static version load dynamic
Loading Comments
Comment on this article
Please share our article, every link counts!
> Expert Reviews and News on Laptops, Smartphones and Tech Innovations > News > News Archive > Newsarchive 2019 03 > Operation ShadowHammer: Tens of thousands of computers had a security backdoor installed via Asus' Live Update Utility
Sam Medley, 2019-03-25 (Update: 2019-03-25)