ASUS releases fix after ShadowHammer malware attack

Taiwanese IT manufacturer ASUS is downplaying the supply chain attack on its Live Update servers that saw users' computers infected with the ShadowHammer malware for several months, saying only a few customers were affected.

The company said in a statement that "a small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group."

ASUS said the attack was done by an advanced persistent threat (APT) group but it did not name the entity, or which country it originated from.

Nor did the company identify the targeted user group.

Security vendor Kaspersky said over a million systems had been sent the compromised Live Update tool, with attackers using two valid ASUS digital certificates to authenticate the software.

Kaspersky was not credited by ASUS for discovering the malware infestation and reporting it to the Taiwanese vendor.

Security vendor Avira said it had seen more than 438,000 executions of the initial installer by ASUS customers.

The compromised installer would check a list of 600 media access control (MAC) identifiers that are hard coded into the network interfaces on computers.

If the MAC identifier was found on the list, the malware would fetch a second file containing malicious backdoor code, Avira said.

Avira added that updates to the malicious binary expanded the list of MAC identifiers, a tactic the security vendor believes allowed attackers to target systems on an as-needed basis rather than widely distribute or make money out of the malware.

A fixed version 3.6.8 of Live Update has been released by ASUS, and the company claims the new software has "multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means."

ASUS also said it had added an end-to-end encryption mechanism to the fixed version of Live Update, and that it had updated and strengthened its server-to-end-user software architecture, but provided no further technical details on this.

An online security diagnostics tool has also been made available to check for ShadowHammer infections and ASUS is encouraging concerned users to run it as a precaution.

Users meanwhile are reporting that they are unable to get the fixed Live Update version 3.6.8.

ASUS's post also says Live Update has been (will be?) updated to Version 3.6.8. I have 3.1.9 & try to update, but my version stays the same.

— Bill Ingram (@billyarnie) March 26, 2019

ASUS advised that if Live Update cannot get the latest fixed version, users should download it from the company's official website and install it manually.

It did not provide a link to the file however, and while iTnews tried to locate the fixed version of Live Update, ASUS took down its support website for "service enhancements".