Kaspersky speculates the involvement of ShadowPad attackers in Operation ShadowHammer

Experts at Kaspersky Lab linked the recent supply-chain attack targeted ASUS users to the “ShadowPad” threat actor and the CCleaner incident.

Security researchers at Kaspersky Lab linked the recent supply-chain attack that hit ASUS users (tracked as Operation ShadowHammer) to the “ShadowPad” threat actor. Experts also linked the incident to the supply chain attack that targeted CCleaner in September 2018. The Operation ShadowHammer was dcampaign was uncovered by experts from Kaspersky Lab and took place between June and November 2018, but experts discovered it in January 2019. iscovered in January 2019, attackers used a Trojanized version of the ASUS Live Update utility to install a backdoor on specific devices, selected based on their MAC addresses. ASUS has since released software updates to address the issue. 

According to Kaspersky, threat actors tampered with a legitimate binary that was initially compiled in 2015 and that was digitally signed to avoid detection.

The malicious code injected in the binaries allows to fetch and install a backdoor used in the attack to control the compromised systems.

“It is important to note that any, even tiny, tampering with executables in such a case normally breaks the digital signature. However, in this case, the digital signature was intact: valid and verifiable. We quickly realized that we were dealing with a case of a compromised digital signature.” reads the analysis published by Kaspersky.

“We believe this to be the result of a sophisticated supply chain attack, which matches or even surpasses the ShadowPad and the CCleaner incidents in complexity and techniques. The reason that it stayed undetected for so long is partly the fact that the trojanized software was signed with legitimate certificates (e.g. “ASUSTeK Computer Inc.”).”

The supply chain attack was very sophisticated and very targeted, the backdoor was designed to be installed on only 600 select devices, identified through their MAC address.

Some of the MAC addresses targeted by the hackers were rather popular, such as i.e. 00-50-56-C0-00-08 that belongs to the VMWare virtual adapter VMNet8 and is shared by all users of a certain version of the VMware software for Windows.

Another MAC address used in the attack was 0C-5B-8F-27-9A-64, which belongs to the MAC address of a virtual Ethernet adapter designed by Huawei for the USB 3G modem, model E3372h.

During their investigation, experts found other digitally signed binaries from three other vendors in Asia. The binaries are signed with different certificates and a unique chain of trust, but experts pointed out that the way the binaries were trojanized was the same in the three cases.

“The malicious code was not inserted as a resource, neither did it overwrite the unused zero-filled space inside the programs. Instead, it seems to have been neatly compiled into the program, and in most cases, it starts at the beginning of the code section as if it had been added even before the legitimate code.” continues the analysis. “Even the data with the encrypted payload is stored inside this code section. This indicates that the attackers either had access to the source code of the victim’s projects or injected malware on the premises of the breached companies at the time of project compilation.”

Experts found many similarities between non-ASUS-related cases and the ASUS supply chain attack, such as the algorithm used to calculate API function hashes, and the use of IPHLPAPI.dll from within a shellcode embedded into a PE file.

The investigators also found a connection between the ASUS attack to the ShadowPad backdoor that was first detected in 2017 and that was attributed to the Axiom group (also known as APT17 or DeputyDog).

The most popular campaign attributed to the APT17 group is the attack on the Google’s infrastructure, also known as Operation Aurora. For almost a decade the APT17 targeted government organizations in several Southeast Asian countries and the US, NGOs, defense contractors, law firms, IT firms, and mining companies.

According to malware experts at Intezer the code used in the CCleaner attack has many similarities with the code used by the Axiom group.

Experts at Kaspersky noticed that the malicious code used in the Operation ShadowHammer have reused algorithms from multiple malware samples, including many of PlugX RAT, a backdoor used by many Chinese-speaking hacker groups.

“ShadowPad, a powerful threat actor, previously concentrated on hitting one company at a time. Current research revealed at least four companies compromised in a similar manner, with three more suspected to have been breached by the same attacker.” Kaspersky concludes. 

“How many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism,”

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Asus Supply Chain attack, ShadowPad )

[adrotate banner=”5″]

[adrotate banner=”13″]