ShadowHammer discovered in January 2019 refers to a Software Supply Chain Compromise of one of ASUS's update servers. The [Supply Chain Compromise] allowed the attackers to distribute a signed backdoored version of an application called ASUS Live Update Utility to ASUS users.
The backdoored ASUS binaries were signed with two different certificates issued by DigiCer CA, one of which was signed with EV Code Signing Certificate, indicating that either the attackers obtained Code Signing Certificates or abused a system on the ASUS network that had the certificates installed.
The backdoor was delivered to over a million ASUS users and a second stage payload to only those that of interest for cyberespionage purposes.
|Enterprise||VT0009||.001||Obtain Capabilities: Code Signing Certificates||
ShadowHammer binaries were signed with two different ASUS certificates issues by DigiCert.
|Enterprise||VT0004||.002||Supply Chain Compromise: Compromise Software Supply Chain||
ShadowHammer refers to a backdoor inserted in a Software Supply Chain Compromise to ASUS Live Update Utility and delivered to over a million ASUS users.
Created: 06 May 2021
Last Modified: 06 May 2021