Security Week 18: ShadowHammer attack in detail
At the end of March, Motherboard published an article about the potential hacking of Asus’s infrastructure. Having received partial access to the company's resources, the attackers were able to distribute among customers who installed the Asus Live Update utility to download new drivers in a timely manner, the version of the program with malicious functionality signed by the official certificate. We wrote about this attack, discovered by Kaspersky Lab experts, in early April .
Kaspersky Lab has published an extended report on ShadowHammer on April 23. This very fascinating, although completely technical document is recommended to be read in its entirety, and in this post there will be only a brief description of a part of the finds. The most interesting thing is the potential connection of ShadowHammer with infected copies of a not the best computer game about zombies and a coordinated attack on software developers.
In total, Kaspersky Lab experts found 230 samples of an infected utility to update drivers on Asus devices. In all cases, its original version is dated 2015, but later during the attack, the injection method of its own executable code was changed — most likely in order to more effectively avoid detection:
The method of introducing malicious code changed in the period between July and December 2018. The start date of the attack is not known for certain, but it was discovered in January 2019. The most effective way to infect users' computers and go unnoticed was the use of Asus legitimate certificates, which were also used to sign the “official” harmless utilities produced by this company.
')
The screenshot above is an example of a legitimate Asus utility, signed with the same certificate as the malicious version of Asus Live Update. The signature date is March 2019, after the vendor received information about the attack and the certificates used. The campaign operators had to change the digital signature for the modified executable files in the process, since the first stolen certificate expired in August 2018.
Judging by the use of the old version of the legitimate program and the differences in the digital signature of the official and modified software, the attack organizers had limited access to the internal resources of the vendor. For example, it was possible to hack the computer of one of the developers, to steal certificates, but not the actual source code of the utility. In addition, attackers gained access to the infrastructure for the delivery of updated versions of the utility in order to distribute the malicious modification.
A key feature of the ShadowHammer attack is a limited number of targets for the attack. There were a lot of potential victims: the malicious version of Asus Live Update only by Kaspersky Lab tools was detected by 57 thousand users. The actual number of victims could have been even higher, but on most computers the malware did not do anything clearly illegal.
In all cases, the modified utility collected data on the MAC addresses of all available network adapters and compared their MD5 hashes with its own list. Only in the case of the discovery of one of the MAC addresses from the list, a call was made to the command server from which another executable file was downloaded. The number of addresses differs from sample to sample: the shortest list consists of eight MAC addresses, the longest of them is 307. In total, more than 600 identifiers of network devices were identified, by which the attackers found systems of interest. You can check your MAC-addresses for the presence in this list here .
It is logical that most of the MAC addresses in the list refer to devices manufactured by Asus itself. But there are also addresses that cover a large number of users, for example, 00-50-56-C0-00-08 is the identifier of the virtual network adapter VMWare. However, such a coincidence did not always lead to the development of an attack: it began only if the MAC address of the physical network adapter also coincided with the required one.
How it looked in practice, shows a screenshot of the discussion on Reddit. A user with the Asus Live Update utility installed receives a notification of a “critical update,” while offering to download a program three years ago. It’s not a fact that this discussion is about this particular attack (since there is no file identifier), but judging by the build date of the binary, it was it. Given that the search for mentions gave only two reports of potential problems (the second one was definitely not connected with ShadowHammer), we can say that the attack went unnoticed, despite the fairly large number of potential victims.
What happened to those whose MAC address was on the list is unknown. At the time of the discovery of the attack in January 2019, the command server was turned off, and so far the researchers failed to get the executable files downloaded to the computers of the real victims.
Contact with other attacks
And here in the post zombies rush in!
In March 2019, ESET specialists investigated the infected versions of the Infestation: Survivor Stories game. Given the theme of the game, this in itself sounds like an anecdote, but the situation for the developer (probably using the source code of the earlier game The War Z) is not the most fun. Most likely, the malicious code appeared in official builds after the developers' computers were compromised. In this, and in a couple of other incidents involving attacks on gaming studios, a similar method of ShadowHammer injection of malicious code was applied:
Okay, this is not reliable evidence of a link between the two incidents. But there is also a coincidence in the hash algorithms used to collect the victims' data on computers, and a couple of other common technical features of the attacks. Judging by the lines in the malicious code, it can be assumed that the source code of the earlier War Z game could be distributed as a kind of Trojan horse for game developers who wanted to use them. Kaspersky Lab experts also found signs of a re-use of ShadowHammer's algorithms in the PlugX backdoor , most likely developed in China.
This potential connection between different attacks gives the ShadowHammer story a new dimension and is a warning to developers. Programmers can become involuntary distributors of malicious code due to coordinated and consistent actions of intruders. Moreover, different tools can be used: theft of certificates, the inclusion of malicious code in the source code, injection into executable files (for example, before sending to the customer). Judging by the number of white spots in this and other investigations, the attackers managed to infiltrate into the infrastructure of software developers, spread the malicious code to a large number of victims, while precisely targeting targets so as to go unnoticed for at least several months (as is the case with ShadowHammer) .
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.
Kaspersky Lab has published an extended report on ShadowHammer on April 23. This very fascinating, although completely technical document is recommended to be read in its entirety, and in this post there will be only a brief description of a part of the finds. The most interesting thing is the potential connection of ShadowHammer with infected copies of a not the best computer game about zombies and a coordinated attack on software developers.
In total, Kaspersky Lab experts found 230 samples of an infected utility to update drivers on Asus devices. In all cases, its original version is dated 2015, but later during the attack, the injection method of its own executable code was changed — most likely in order to more effectively avoid detection:
The method of introducing malicious code changed in the period between July and December 2018. The start date of the attack is not known for certain, but it was discovered in January 2019. The most effective way to infect users' computers and go unnoticed was the use of Asus legitimate certificates, which were also used to sign the “official” harmless utilities produced by this company.
')
The screenshot above is an example of a legitimate Asus utility, signed with the same certificate as the malicious version of Asus Live Update. The signature date is March 2019, after the vendor received information about the attack and the certificates used. The campaign operators had to change the digital signature for the modified executable files in the process, since the first stolen certificate expired in August 2018.
Judging by the use of the old version of the legitimate program and the differences in the digital signature of the official and modified software, the attack organizers had limited access to the internal resources of the vendor. For example, it was possible to hack the computer of one of the developers, to steal certificates, but not the actual source code of the utility. In addition, attackers gained access to the infrastructure for the delivery of updated versions of the utility in order to distribute the malicious modification.
A key feature of the ShadowHammer attack is a limited number of targets for the attack. There were a lot of potential victims: the malicious version of Asus Live Update only by Kaspersky Lab tools was detected by 57 thousand users. The actual number of victims could have been even higher, but on most computers the malware did not do anything clearly illegal.
In all cases, the modified utility collected data on the MAC addresses of all available network adapters and compared their MD5 hashes with its own list. Only in the case of the discovery of one of the MAC addresses from the list, a call was made to the command server from which another executable file was downloaded. The number of addresses differs from sample to sample: the shortest list consists of eight MAC addresses, the longest of them is 307. In total, more than 600 identifiers of network devices were identified, by which the attackers found systems of interest. You can check your MAC-addresses for the presence in this list here .
It is logical that most of the MAC addresses in the list refer to devices manufactured by Asus itself. But there are also addresses that cover a large number of users, for example, 00-50-56-C0-00-08 is the identifier of the virtual network adapter VMWare. However, such a coincidence did not always lead to the development of an attack: it began only if the MAC address of the physical network adapter also coincided with the required one.
How it looked in practice, shows a screenshot of the discussion on Reddit. A user with the Asus Live Update utility installed receives a notification of a “critical update,” while offering to download a program three years ago. It’s not a fact that this discussion is about this particular attack (since there is no file identifier), but judging by the build date of the binary, it was it. Given that the search for mentions gave only two reports of potential problems (the second one was definitely not connected with ShadowHammer), we can say that the attack went unnoticed, despite the fairly large number of potential victims.
What happened to those whose MAC address was on the list is unknown. At the time of the discovery of the attack in January 2019, the command server was turned off, and so far the researchers failed to get the executable files downloaded to the computers of the real victims.
Contact with other attacks
And here in the post zombies rush in!
In March 2019, ESET specialists investigated the infected versions of the Infestation: Survivor Stories game. Given the theme of the game, this in itself sounds like an anecdote, but the situation for the developer (probably using the source code of the earlier game The War Z) is not the most fun. Most likely, the malicious code appeared in official builds after the developers' computers were compromised. In this, and in a couple of other incidents involving attacks on gaming studios, a similar method of ShadowHammer injection of malicious code was applied:
Okay, this is not reliable evidence of a link between the two incidents. But there is also a coincidence in the hash algorithms used to collect the victims' data on computers, and a couple of other common technical features of the attacks. Judging by the lines in the malicious code, it can be assumed that the source code of the earlier War Z game could be distributed as a kind of Trojan horse for game developers who wanted to use them. Kaspersky Lab experts also found signs of a re-use of ShadowHammer's algorithms in the PlugX backdoor , most likely developed in China.
This potential connection between different attacks gives the ShadowHammer story a new dimension and is a warning to developers. Programmers can become involuntary distributors of malicious code due to coordinated and consistent actions of intruders. Moreover, different tools can be used: theft of certificates, the inclusion of malicious code in the source code, injection into executable files (for example, before sending to the customer). Judging by the number of white spots in this and other investigations, the attackers managed to infiltrate into the infrastructure of software developers, spread the malicious code to a large number of victims, while precisely targeting targets so as to go unnoticed for at least several months (as is the case with ShadowHammer) .
Disclaimer: The opinions expressed in this digest may not always coincide with the official position of Kaspersky Lab. Dear editors generally recommend to treat any opinions with healthy skepticism.
Source: https://habr.com/ru/post/450150/
All Articles