Kaspersky Lab is currently alerting folks to a newly discovered advanced persistent threat that makes use of a supply chain attack to create a backdoor in software.
The entire ordeal is being referred to as Operation ShadowHammer and it targets the Asus Live Update Utility software that comes pre-installed on Asus hardware or be installed from the firm’s website.
“Using stolen digital certificates used by Asus to sign legitimate binaries, the attackers have tampered older versions of Asus software, injecting their own malicious code. Trojanized versions of the utility were signed with legitimate certificates and were hosted on and distributed from official Asus update servers – which made them mostly invisible to the vast majority of protection solutions,” Kaspersky Lab explains in a statement.
Curiously, the attackers were not targeting all users and were instead focused on gaining access to 600 users in particular. Kaspersky Lab knows this because it discovered hardcoded MAC addresses in the backdoor code of compromised files.
“Once running on a victim’s device, the backdoor verified its MAC address against this table. If the MAC address matched one of the entries, the malware downloaded the next stage of malicious code. Otherwise, the infiltrated updater did not show any network activity, which is why it remained undiscovered for such a long time. In total, security experts were able to identify more than 600 MAC addresses. These were targeted by over 230 unique backdoored samples with different shellcodes,” the firm said.
It’s estimated that the injection of a backdoor into Asus software has been happening since at least June 2018 and may have concluded in November 2018.
So with 600 MAC addresses being targeted, how do you know if your computer is one of them? Thankfully Kaspersky Lab has an online tool that lets you search your MAC address and check whether you were targeted in Operation ShadowHammer.
To find your MAC address open Command Prompt in Windows and type ipconfig /all then hit Enter.
This will return a list of all the network adapters on your PC. You are looking for the field marked Physical Address which is also the MAC address of the adapter. If you have more than one check all of them on the website linked above.
Asus was informed of the threat on 31st January but has yet to comment on the matter. We have contacted Asus South Africa and requested comment on Operation ShadowHammer and will update this story when we hear back from the firm.