'ShadowHammer' infects Asus PCs through Asus Live Update

More than 57,000 Asus PC users downloaded a malware-infected Asus Live Update utility (Rawf8 / iStockPhoto)

Over 57,000 users, and possibly up to a million, have downloaded and installed a version of the Asus Live Update utility that was poisoned with a backdoor and hosted on the official Asus servers.

What security vendor Kaspersky is calling ShadowHammer was actually a targeted attack at a small number of users.  (The investigation is still in progress, Kaspersky said.) Kaspersky said that the ShadowHammer attack had been detected worldwide, most commonly in Russia and Germany, with about 5% of victims in the United States.

From a security standpoint, the most disturbing aspect of the malware is that it was digitally signed with legitimate security certificates, the stamp of authenticity that would make them indistinguishable from a real update. They were even hosted on Asus servers. The Live Update software can be downloaded from the Asus site, and it also comes pre-loaded on PCs. 

The Asus Live Update software is designed to look for new versions of the programs released on the Asus website and then automatically update a PC’s BIOS, drivers, and applications. If ShadowHammer allowed the PC to download malicious BIOS software from another site, that software could take over the entire PC. 

The target, Kaspersky said, was the supply chain, a network of companies supplying parts to a particular product. It could involve any number of manufacturing partners. It isn’t clear who or what ShadowHammer was designed to attack, but the security firm said it found a link to what it called BARIUM, involved in a similar supply-chain attack in 2017 called ShadowPad. That attack targeted the financial industry.

Kaspersky didn’t specifically say whether its software would block the attack, but the company said it had designed a tool to determine whether your PC was one of the targeted machines—about 600 addresses in all. To do so, you can download an executable file with a list of the MAC addresses, or check your MAC address manually against a list that’s been published online. (To find your MAC address, open the Windows 10 Settings menu, then navigate to Settings > Network & Internet and then View your network properties. You’ll find that Physical address (MAC) about three rows down.) 

We've reached out to Asus for comment, and will update this story when we hear back.

Given that Asus is usually considered to be the fifth-largest PC vendor in the world, and that ShadowHammer used authentic certificates, the attack is significant. Fortunately, the earlier ShadowPad triggered the download of malware only if a target was considered “interesting." Asus Live Update can apparently be safely uninstalled: Asus describes the process here, though it can be performed normally though Windows as well. 



Suggested Articles

HKPC's Standard Chartered SME Index shows that Hong Kong ICT companies expect to be best placed to benefit from the Greater Bay Area development plan

Companies including Nokia, VMware and Silicon Labs are sharpening their IoT offerings in anticipation of further growth

Cisco's Talos security group says DNSpionage tools have been upgraded to be more stealthy