ASUS Live Update

What Was Affected

Compromised Versions

• Multiple versions of ASUS Live Update utility distributed between June and November 2018

Incident Context

Motive

Espionage (highly targeted)

Attribution

Nation-state

Transitive

No

User Impact

57000

Observed Duration

153 days

Evidence

Compromised Artifacts

• dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/LiveUpdate/LiveUpdate_Win10_20180115.zip
• dlcdnets.asus.com/pub/ASUS/nb/Apps_for_Win10/LiveUpdate/Liveupdate_13.02.03.zip
• liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win10/LiveUpdate

Current Artifacts and Analysis

• github.com/VirusTotal/sample-collection-c/tree/main/Operation%20ShadowHammer
• securelist.com/operation-shadowhammer-technical-details/90055
• virustotal.com/gui/file/0f49621b06f2cdaac8850c6e9581a594128d69204c18589921e1fb5b7074da30

Indicators and Changes

Hashes

• sha256:0f49621b06f2cdaac8850c6e9581a594128d69204c18589921e1fb5b7074da30
• sha256:5855a5562d9add04ce523bfec4166c4cd252ffc398b18b2856a2faec8b1142e7
• sha256:72a4bed7e48266794e07c8acc3ac4c8e6a6d0fbe6aa6eb8be3880d32e1874627

External References

• securelist.com/operation-shadowhammer/89992
• securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380
• mauronz.github.io/shadowhammer-backdoor
• vice.com/en/article/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers
• vice.com/en/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers
• asus.com/news/asus-response-to-the-recent-media-reports-regarding-asus-live-update-tool-attack-by-advanced-persistent-threat-apt-groups