ShadowHammer

ShadowHammer discovered in January 2019 refers to a Software Supply Chain Compromise of one of ASUS's update servers. The [Supply Chain Compromise] allowed the attackers to distribute a signed backdoored version of an application called ASUS Live Update Utility to ASUS users.

The backdoored ASUS binaries were signed with two different certificates issued by DigiCer CA, one of which was signed with EV Code Signing Certificate, indicating that either the attackers obtained Code Signing Certificates or abused a system on the ASUS network that had the certificates installed.

ShadowHammer reused algorithms used in multiple malware samples, including many of PlugX. PlugX is a backdoor quite popular among Chinese-speaking hacker groups.

The backdoor was delivered to over a million ASUS users and a second stage payload to only those that of interest for cyberespionage purposes.[1]

Techniques Used

Domain ID Name Use
Enterprise VT0009 .001 Obtain Capabilities: Code Signing Certificates

ShadowHammer binaries were signed with two different ASUS certificates issues by DigiCert.

Enterprise VT0004 .002 Supply Chain Compromise: Compromise Software Supply Chain

ShadowHammer refers to a backdoor inserted in a Software Supply Chain Compromise to ASUS Live Update Utility and delivered to over a million ASUS users.

References

Attachments

ID
VS0010
Type
TOOL

Created: 06 May 2021

Last Modified: 06 May 2021