Kaspersky Lab researchers have uncovered a large-scale attack against ASUS users in which a software update utility was modified and used to distribute malware.
The researchers said investigations into the attack - dubbed Operation ShadowHammer - are “still ongoing”, though they expect to publish a detailed technical paper and present their findings at a security conference in Singapore in mid-April.
Kaspersky said the attack “seems to be one of the biggest supply-chain incidents ever” and estimates a million people may have been exposed to the malware.
However, only a small number of users appeared to be of any interest to the attackers.
“They targeted only 600 specific MAC addresses,” the researchers said in a blog post early on Tuesday.
Kaspersky researchers said they had detected the attack in January this year “thanks to a new technology in our products”. The attack was live “between June and November 2018.”
“A threat actor modified the ASUS Live Update Utility, which delivers BIOS, UEFI, and software updates to ASUS laptops and desktops, added a back door to the utility, and then distributed it to users through official channels,” the researchers said.
“The trojanised utility was signed with a legitimate certificate and was hosted on the official ASUS server dedicated to updates, and that allowed it to stay undetected for a long time.
“The criminals even made sure the file size of the malicious utility stayed the same as that of the original one.”
Kaspersky said that its investigations so far had found the “same techniques” used against software from three other vendors.
“Of course, we have notified ASUS and other companies about the attack,” Kaspersky said.
The Live Update Utility comes pre-installed on most ASUS computers, Kaspersky said. Once enabled, it polls ASUS servers periodically for updates.
“The malicious file pushed to customer machines through the tool was called setup.exe, and purported to be an update to the update tool itself,” reported Motherboard, which had significant extra detail on the attack.
“It was actually a three-year-old ASUS update file from 2015 that the attackers injected with malicious code before signing it with a legitimate ASUS certificate.
“Legitimate ASUS software updates still got pushed to customers during the period the malware was being pushed out, but these legitimate updates were signed with a different certificate.”
Most of the victims Kaspersky saw were from Russia, Germany and France, although users in a number of countries were impacted.
Kaspersky Lab said it had created a tool to check if a user had been specifically targeted by the ShadowHammer advanced persistent threat.
The attack is the latest to use a legitimate software update mechanism to distribute malware.
In June 2017, the destructive NotPetya was released via an update delivered by hacked financial documentation software company MeDoc. It would have catastrophic impact on large firms including Maersk and DLA Piper.
A few months later in September 2017, anti-virus vendor Avast unwittingly distributed a trojanised CCleaner utility to an estimated 700,000 users. The target there was high-value tech companies.