ASUS was not the only company targeted by supply-chain attacks during the ShadowHammer hacking operation as discovered by Kaspersky, with at least six other organizations having been infiltrated by the attackers.

As further found out by Kaspersky's security researchers, ASUS' supply chain was successfully compromised by trojanizing one of the company's notebook software updaters named ASUS Live Updater which eventually was downloaded and installed on the computers of tens of thousands of customers according to experts' estimations.

The tampered with binaries were signed using a legitimate certificate which helped the attackers avoid breaking the digital signature and having the malicious updater flagged.

Backdoored ASUS Live Update binary

However, ASUS was not the only company which got its IT infrastructure infiltrated during Operation ShadowHammer given that the researchers were able to find a number of other malware samples that employed similar algorithms and were also signed with valid and legitimate certificates.

Among the similarities, they discovered that the ASUS samples and the newly found ones were both using very similar algorithms to calculate API function hashes, while the IPHLPAPI.dll was heavily used within all malware samples for various reasons.

As in the ASUS case, the samples were using digitally signed binaries from three other Asian vendors: Electronics Extreme, authors of the zombie survival game called Infestation: Survivor Stories,

Innovative Extremist, a company that provides Web and IT infrastructure services but also used to work in game development,

Zepetto, the South Korean company that developed the video game Point Blank.

Besides these three Asian gaming companies, Kaspersky was also able to find three other organizations which were successfully compromised, "another video gaming company, a conglomerate holding company and a pharmaceutical company, all in South Korea."

However, the researchers are still in the process of alerting them that they were also victims of supply-chain attacks launched by the hacking group behind Operation ShadowHammer.

In the cases of the three Asian vendors who were named in Kaspersky's new analysis, the threat actors were able to drop a malicious payload designed to collect system information and download extra payloads from its command-and-control (C&C) server.

Malicious code execution in trojanized binaries

After being launched on the victims' computers, the trojanized games used as malware droppers will first check if a number of traffic/processor monitoring tools are running or if the system language is set to Simplified Chinese or Russian and, if any of the checks are true, the backdoor will stop execution automatically.

If it successfully passes the system check phase, the malware starts collecting system info (Network adapter MAC address, System username, System hostname and IP address, Windows version, CPU architecture, Current host FQDNm, Domain name, Current executable file name, Drive C: volume name and serial number, Screen resolution, and System default language ID).

In the next infection stage, all the info is sent to the C&C server via HTTP with a POST request and the backdoor will then send a GET request with the purpose of receiving commands.

The following commands were discovered: DownUrlFile – download URL data to file

– download URL data to file DownRunUrlFile – download URL data to file and execute it

– download URL data to file and execute it RunUrlBinInMem – download URL data and run as shellcode

– download URL data and run as shellcode UnInstall – set registry flag to prevent malware start The UnInstall command sets the registry value HKCU\SOFTWARE\Microsoft\Windows\{0753-6681-BD59-8819} to 1, which prevents the malware from contacting the C2 again. No files are deleted from the disk, and the files should be discoverable through forensic analysis.

As initially reported when Operation ShadowHammer was unveiled by Kaspersky, the company also found evidence which connects some of the methods used with the ones utilized in the ShadowPad supply chain attack from 2017 that impacted NetSarang and against CCleaner.

The threat group behind the latter was identified as the Winnti Umbrella group BARIUM— known users of the Winnti backdoor — by both Microsoft, ESET, and other security researchers.

This time, the researchers also disclosed the fact that the new ShadowPad backdoor used in Operation ShadowHammer now employs editable Google docs for C&C communication.

Additionally, Kaspersky discovered that "ShadowHammer reused algorithms used in multiple malware samples, including many of PlugX. PlugX is a backdoor quite popular among Chinese-speaking hacker groups. It had previously been seen in the Codoso, MenuPass and Hikit attacks."

Our full analysis of #shadowhammer and related gaming companies attacks, including a new (2018) variant of the #ShadowPad backdoor: https://t.co/DHR7UAg0uS — Costin Raiu (@craiu) April 23, 2019

After the ShadowHammer story broke, ASUS also confirmed the hacking incident and stated that "only the version of Live Update used for notebooks has been affected," with all other devices not being affected by the supply chain attack.

Any ASUS customers who haven't yet updated the ASUS Live Update Utility to the clean 3.6.8 version can do so by following the step by step procedure available HERE.

ASUS users can also check if their notebooks have been targeted in the attack with the help of offline checkers provided by ASUS and Kaspersky, or the online web checker available on Kaspersky's website.

On the other hand, software vendors are advised by Kaspersky's research team to "introduce another procedure into their software production process that additionally checks their software for potential malware injections even after the code is digitally signed."

Taking everything into consideration, Operation ShadowHammer seems to be behind supply-chain attacks that compromised at least seven companies (ASUS, Electronics Extreme, Innovative Extremist, Zepetto, and three not yet named South Korean entities).

The researchers also stated that "how many more companies are compromised out there is not known. What is known is that ShadowPad succeeded in backdooring developer tools and, one way or another, injected malicious code into digitally signed binaries, subverting trust in this powerful defense mechanism."