Threat Watch

Operation ShadowHammer Dropping Backdoors Through ASUS Updates

A campaign that ran from June 2018 through November 2018 could have possibly affected over one million ASUS users worldwide, but it looks as if the group behind the attack were targeting a small subset of users in Asia. ASUS uses a platform that allows for automatic BIOS, UEFI, drivers and applications updates. The group that is suspected to be behind the attack, BARIUM APT, compromised ASUS’ digital certificates that are used to sign their binaries and made changes to older ASUS software and placed malicious code within it. The attackers were then able to trojanize the utilities and sign them with legitimate certificates, ultimately allowing for them to be passed off by the ASUS update server. As previously stated, any user that runs on the affected software could have been a victim. This does not seem to be the case, however, because around 600 hard-coded MAC addresses were found within the backdoor code and if the targeted machine did not match one of the specified MAC addresses then the malware stopped its process. But if it does match, the next payload is downloaded. Although the backdoors that were placed in the user’s PCs were not activated, it does not mean they couldn’t be in the future. In total, there were about 230 samples that were seen. ASUS was quick with a release of a new version of the Live Update software. They claim to have implemented multiple security verification mechanisms.


Users operating on the affected software should update their systems as soon as possible. Users should also be cautious as future attackers could be carried out on PCs where the malware lays dormant