Kaspersky has uncovered a new advanced persistent threat (APT) campaign affecting more than a million computer users worldwide. Between at least June and November 2018, Operation ShadowHammer targeted users of the ASUS Live Update Utility, injecting a backdoor.



Each backdoor code contained a table of hardcoded MAC addresses – the unique identifier of network adapters used to connect a computer to a network. Once running on a victim’s device, the backdoor verified its MAC address against this table.



If the MAC address matched one of the entries, the malware downloaded the next stage of malicious code. Otherwise, the infiltrated updater did not show any network activity. In total, security experts were able to identify more than 600 MAC addresses hard coded into the malware.



A blog summarizing the attack can be found on Securelist



Stay safe with Kaspersky