ASUS Hack: Here's how to check if your laptop's been infected by ShadowHammer

Update: We had reached out to Kaspersky Lab to confirm whether their security solutions will be able to detect the ShadowHammer malware henceforth. Costin Raiu, Director of Global Research and Analysis Team (GReAT), Kaspersky Lab said, “All Kaspersky Lab products successfully detect and block the malware used in Operation ShadowHammer, which is a new advanced persistent threat (APT) campaign discovered that has affected users through what is known as a supply chain attack. This includes the consumer solution range.” Hackers were able to successfully install malware in ASUS laptops running Windows using the ASUS’ own Live Update software update tool. The attackers breached the official servers and cloaked the malicious code inside the software that was then deployed to end users. Cybersecurity researchers at Kaspersky Lab confirmed that the attack was carried out in 2018 between June and November. The hackers were able to affect an estimated half a million ASUS machines. However, only about 600 machines were actively targeted by hackers. [caption id=“attachment_6332091” align=“alignnone” width=“1280”]  Representative image. Image: Reuters.[/caption]

ASUS Hack: What happened?

Dubbed as the ‘ShadowHammer attack’ by Kaspersky Lab, it falls under what is called a supply chain attack. This attack was first reported by Motherboard. In these types of attacks, malicious software is delivered or deployed directly to users through trusted channels, in this case, directly using ASUS’ Live Update tool. Kaspersky believes the malware is like the previous ShadowPad and CCleaner attacks, which were also supply-chain attacks. The company came across the hack in January and reported it to ASUS but customers weren’t notified about it. Kaspersky has now released some of the technical details of the attack and it plans on presenting the full technical paper at its Security Analyst Summit to be held between 8-11 April. About 57,000 Kaspersky users downloaded and installed the malicious update. When software updates are sent to end users, they are signed or authenticated with official ASUS certificates (a form of digital authentication token) to verify that the update is genuine. The attackers were able to sign their malicious code inside the update with legitimate ASUS certificates. A table of MAC addresses was hardcoded into the backdoor and it checked whether the victim’s machine’s MAC address matched with an entry in the same table. If it found a match, the next phase of the attack was executed – connecting back to the attacker’s servers and downloading the second malicious payload. When there wasn’t a match, the affected machines didn’t show any kind of suspicious activity. Out of the one million affected ASUS machines, the researchers found about 600 MAC addresses hardcoded in the backdoor. Kaspersky hasn’t been able to figure out the ultimate intentions of this attack yet. Since the attackers targeted a small fragment of the affected systems, it indicates that the whole operation was meant for a specific group of users. [caption id=“attachment_6332141” align=“alignnone” width=“1280”] Representative image. Image: Reuters.[/caption] ASUS confirmed the attack and issued an explanation of what was affected. They also confirmed that among their devices, only notebooks were affected. The Live Update version specifically used for laptops was targeted. The company claims to be already reaching out to affected users and assisting them in getting rid of the security threat. A fix has been implemented by them to the latest Live Update software (version 3.6.8). This time they have incorporated multiple security verification mechanisms that won’t allow any other software by a third-party to be signed using real ASUS certificates. An enhanced end-to-end encryption mechanism has also been implemented. Further updates were also made to its server-to-end-user software architecture to prevent any future attacks of a similar nature. Additionally, they have released a downloadable diagnostic tool that identifies affected systems.

ASUS Hack: Checking for infection

If you own an ASUS laptop and regularly updated your drivers using the ASUS Live Update tool, don’t panic. Although the number of machines that installed the backdoor-laden updates is quite high, the number of targeted systems is tiny. Hence, you don’t really need to worry. However, just to be sure, you must verify it. ASUS has already deployed a diagnostic tool that can be downloaded on your laptop. It’s a regular .exe file that will automatically check whether your machine is affected. However, if you’re sceptical about installing any kind of diagnostic tool, especially at such a sensitive time, then Kaspersky Lab has you covered. Kaspersky has released a dedicated website to check whether your computer’s MAC address was present on the target list. The ASUS diagnostic tool probably does the same automatically and this is more of a manual approach. Before you enter the MAC address, you need to first find it. Regardless of the Windows version you’re running, open the “Search” menu from the taskbar or click on the Start Menu and search for “cmd”. Press Enter and the Command Prompt will launch. You can alternatively press Windows Key + R, type in “cmd” and then press Enter to open Command Prompt. After launching it, enter the command “ipconfig /all”. This will list down all the details about the network adapters installed on your system. Under “Ethernet adapter”, look for “Physical Address”. You should see a string of hexadecimal numbers next to it that looks something like “A1-B2-C3-4D-5E-6F”. Copy this string and paste it into the text box in the above-mentioned Kaspersky website. If your system has a Wi-Fi network adapter, you will see another block of information listed under “Wireless LAN adapter” after entering the command. Copy and paste the string in the website and verify whether it’s part of the targeted addresses.

Fixing your infected ASUS laptop

If your system is among the unfortunate ones to be affected by ShadowHammer, then it’s time to take things seriously. Since the intent of the attack is still unknown, it’s better to take precautions on all fronts. ASUS recommends taking a backup of all your necessary files and resetting your system. Since it’s a software-level malware attack, restoring to factory settings or reinstalling a fresh copy of Windows will completely remove the malware from your system. Changing your passwords is recommended as well. ASUS is also offering direct assistance if your system is affected. You should immediately contact ASUS Customer Service if you face any issues.