Hackers target Asus users with hijacked updates

Malware attack called 'ShadowHammer' spotted by Kaspersky

Shadow Hammer image on laptop

Asus has been unwittingly pushing malware infected updates on users that gave hackers backdoor access to their hardware. 

These malicious actors managed to infect the servers that Asus uses to roll out software updates to its devices. It's a sophisticated supply-chain attack, first spotted by Kaspersky Labs in January, which has been dubbed 'ShadowHammer'

Advertisement - Article continues below

ShadowHammer is a trojan type of malware on a utility that seems legitimate because it has a signed certificate and is hosted on the Asus server that deals with updates. It stays undetected for a long time because criminals made sure the file size stayed the same as the original Asus one.

Kaspersky said the attack took place between June and November 2018 and according to its telemetry, it affected a large number of users.

The Asus live update is a utility that is pre-installed on most Asus computers and is used to automatically update certain components, drivers and applications. Asus is one of the worlds largest PC vendors and, as such, an extremely attractive target for APT groups that might want to take advantage of their user base.

"Based on our statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time," Kaspersky said. "We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide."

Strangely, the cybercriminals behind ShadowHammer were not interested in a vast swathe of  the infected machines as they seemingly targeted only 600 specific MAC addresses, for which the hashes were hardcoded into different versions of the utility.

Advertisement - Article continues below

Kaspersky has said this is a bigger supply-chain incident than the malware infestation that hit CCleaner. The optimisation app was hit in 2017 when a new version of it was being used to spread malware to millions of users. 

IT Pro has approached Asus for comment.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now


Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

Business operations

Nvidia overtakes Intel as most valuable US chipmaker

9 Jul 2020

How to find RAM speed, size and type

24 Jun 2020

The best server solution for your SMB

26 Jun 2020