Kaspersky Links ShadowHammer Supply-Chain Attack to ShadowPad Hackers
The sophisticated supply-chain attack called Operation ShadowHammer that targeted ASUS users can be linked to the “ShadowPad” threat actor and the CCleaner incident, Kaspersky Lab’s security researchers say.
Discovered in January 2019, Operation ShadowHammer relied on a Trojanized version of the ASUS Live Update utility to install a backdoor on specific devices, selected based on their MAC addresses. ASUS has since released software updates to address the issue.
Following an initial report last month, Kaspersky Lab has published additional details on their investigation into the attack, revealing that the first attempts to compromise users through the backdoored ASUS Live Update utility took place in June 2018.
While no official reports on the matter were published, users posted on online forums such as reddit, complaining of receiving a strange “critical” update for ASUS Live Update.
One user even observed that the file was actually dated 2015, thus being much older than the version running on their device, and pointed out that the version of the utility being served to them was known to contain vulnerabilities and to be susceptible to being tricked into executing code.
Kaspersky’s investigation indeed revealed that the hackers tampered with a legitimate binary that was initially compiled in 2015. Using legitimate digital certificates, the hackers modified only tiny parts of the file to keep its size and ensure they would not trigger security alerts.
The modified binaries included a Trojan downloader designed to fetch and install a backdoor from the file’s resources. The researchers found over 230 samples associated with the attack.
Kaspersky detected the Trojanized utility on tens of thousands of devices running its security products, but says that many others might have been affected. The backdoor, however, was meant to be installed on only 600 select devices, identified by their MAC address, the security researchers say.
The investigation revealed that the attackers targeted the users of multiple vendors, although they appear to have focused on specific ones. One of the targeted MAC addresses was shared by all users of a virtual Ethernet adapter created by a Huawei USB 3G modem, model E3372h.
While investigating the incident, Kaspersky also stumbled upon similar supply-chain incidents that involved video games, with some information on the case shared publicly by ESET in a March 2019 report. The injection methods differed between the ASUS and the video games incidents.
The backdoor in the non-ASUS-related cases was straightforward, designed to check whether it has administrative privileges and to gather various information from the infected machine. Based on received commands, it could download and execute payloads, run payloads as shellcode, and set a registry flag to prevent itself from executing.
Despite the difference, the two attacks are very similar, starting with the algorithm used to calculate API function hashes, and including the use of IPHLPAPI.dll from within a shellcode embedded into a PE file.
The investigators were also able to link the ASUS attack to the ShadowPad backdoor that was initially revealed in 2017. Said last year to have been the stage 3 payload in the sophisticated CCleaner attack, ShadowPad is believed to have been developed by the Axiom group.
Operation ShadowHammer was also found to have reused algorithms from multiple malware samples, including many of PlugX, a backdoor popular among Chinese-speaking hacker groups (associated with Codoso, MenuPass and Hikit attacks).
“Some of the samples we found were created as early as 2012 if the compilation timestamp is anything to trust,” Kaspersky says.
The attackers used an external application to inject the malicious code into the ASUS Live Updater binaries, but used a different technique in non-ASUS cases, seamlessly integrating it into the code of recently compiled legitimate applications.
The researchers also discovered a Trojanized version of the link.exe tool, which is part of Microsoft Visual Studio, a popular integrated development environment (IDE). Thus, it is unclear whether a developer from a videogame company used the Trojanized development software or if the attackers deployed the Trojan code on the developer’s machine.
Kaspersky also says they were able to identify three previously unknown victims, namely a videogame company, a conglomerate holding company and a pharmaceutical company, all based in South Korea. Thus, the researchers believe that the same actor or a related group is behind these compromises.
“ShadowPad, a powerful threat actor, previously concentrated on hitting one company at a time. Current research revealed at least four companies compromised in a similar manner, with three more suspected to have been breached by the same attacker. How many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism,” Kaspersky concludes.