ASUS Supply Chain Attack (ShadowHammer)

ASUS Supply Chain attack via ASUS Live Update

If you or anybody you know uses ASUS notebooks, you might want to check the tech news (if you haven’t already). Your machines may have been host to malicious updates that were passed via ASUS’s Live Update software in a massive supply chain attack.

Kaspersky Labs recently published an article for something that they are calling Operation ShadowHammer and it’s a doozy.

Here’s what we know

  • It appears to be a highly sophisticated supply chain attack that utilized ASUS’s own certificates to sign malware that was pushed to targets via the ASUS Live Update software update utility.
  • The malware (a backdoored version of ASUS Live Update) was pushed to targets between June and November 2018 (5 months!)
  • After installation of the update, the malware matched target MAC addresses against a hardcoded list of ~600 (so far) MAC addresses.
  • If the target has a matching MAC address, a second payload is downloaded and additional malware is installed.
  • ASUS issued a statement about the attacks that included an announcement that the latest version of ASUS Live Update software (3.6.8) included additional security mechanisms to prevent malicious manipulation. (Initially, they had apparently denied any issues to Kaspersky researchers. You can read more about it here.)
    • As of this posting, all the download links I found on ASUS’s website pointed to older versions, so you may have to update each computer individually. (boo!)
    • If anybody finds a direct link to a newer download, please let me know and I’ll update the post!

Despite the fact that this malware only appears to target a very small number of users (~600) for a second payload, the first initial payload essentially created a backdoor on all affected machines. (Yikes!)

What does this mean for me?

If I am not using any ASUS notebooks, then I can go get a cool refreshing beverage and enjoy my day. (Or I could get back to work. A judgment call may be warranted here.)

If I am using ASUS notebooks, I’m going to want to do the following:

  • Identify (and update) the version of ASUS Live Update on those notebooks.
  • Identify which machines have been affected and keep a close eye on them.

How to check the version of ASUS Live Update

There are a bunch of different ways that I could determine which version of the software that I’m using. (These are just a handful of options.)

  • Check the software itself (Right-click on the icon in the taskbar and select About)
  • Check the Program and Features page (Windows Key + R to open a Run box and run appwiz.cpl)
  • Use PowerShell (or command prompt but PowerShell’s cooler)
  • Use PDQ Inventory to look at all the computers in my network

The first two methods listed are totally fine if I only need to check a couple of computers. They’re straightforward and quick enough.

But, if I manage a bunch of machines and want to check them all at once, I’m going to recommend using a tool that can query multiple machines at once, and for that, I’m going to recommend either PowerShell or PDQ Inventory to help out.

Checking the software itself

Here, we need to right-click on the currently-running version of Asus Live Update and select the About menu item.

In the previous screenshot, you can see that the version of ASUS Live Update is out-of-date (3.4.1).

Voila! Easy peasy! But, if you have multiple computers, you’d have to do this for each computer one at a time. (Boring!)

Check the Program and Features page

Similar to checking the software itself, this will also need to be done on the computer in question.

The quickest way to do this is by pressing Windows Key + R to open up the Run dialog box. In the box, type in the command appwiz.cpl.

In this new window, you can easily identify the version of any installed software. This, too, is easy peasy. But, it also is less-than-fun if you have more than a couple of machines to do this on.

Using PowerShell

Depending on your method of choice, there’s a handful of ways to identify installed software via PowerShell.

Here are a couple of ways to whet your appetite for PowerShelly goodness. These are some quick examples utilizing either the registry (64-bit and 32-bit locations used) and WMI.

Use the registry (Get-ItemProperty)

Get-ItemProperty HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall*, HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall* | Where-Object {$_.DisplayName -like "ASUS Live Update"} | Select-Object DisplayName, DisplayVersion

Use WMI* (Get-CimInstance or Get-WMIObject)

Get-CimInstance Win32_product | Where-Object {$_.Name -like "ASUS Live Update"} | Select Name, Version  

*One thing to note about the Win32_Product class, however, is that querying it can cause a consistency check with installed applications that can trigger repair installs to happen. (More info here)

Other than a special note about querying Win32_Product, I’m not going to go into much detail with these commands, but feel free to reach out if you’ve got any questions. If enough people are interested, perhaps we can write another blog with relevant info.

Because PowerShell.

With that being said (and as much as I love PowerShell), I’m still going to recommend using PDQ Inventory the most. It’s just way too easy to get the info I’m looking for.

So, onward to PDQ Inventory!

Using PDQ Inventory to check versions

With PDQ Inventory, we simply need to create a dynamic collection to check application versions. Please note that you’ll need a recent scan of your computers in order to have up-to-date info about them.

Creating a dynamic collection

In this case, we are going to want to look for machines that have software called ASUS Live Update with versions lower than 3.6.8.

The screenshots demonstrate how to create the collection and how the collection will display filtered computers (as is the case with my good buddy FRY). With FRY, we see that ASUS Live Update is installed but that the version is lower than 3.6.8.

Voila! You should now know which machines have ASUS Live Update with a version less than 3.6.8.

How to check which machines have been affected

In addition to getting the ASUS Live Update software updated, you’re also going to want to check for which machines have been affected by ShadowHammer.

To check if your MAC address was part of the affected list, Kaspersky put together a webpage to compare your MAC address against the compromised list. You can see the list here.

Additionally, a security researcher by the name of Vitali Kremez has attempted to reverse engineer and document the ShadowHammer malware. You can read more about that here.

As part of his write-up, he has identified that machines that fail to match the targeted MAC addresses appear to create a file called, “idx.ini” in the user directory with a timestamp of +7 days from the current system timestamp.

We have yet to determine the purpose of this file, but we can at least begin to identify it on our systems. With this info, we can either scan for those files with PowerShell or create a PDQ Inventory File Scanner and scan for those files.

I’m going to demo how to do it with PDQ Inventory (though the same info can be applied to any tool or script that you may choose to use).

Creating a PDQ Inventory File Scanner for idx.ini

We’re going to create a file scanner that targets all user directories (and subdirectories to be safe) and search for the mentioned file: idx.ini.

With the newly-created file scanner, we should be able to scan all of our machines for idx.ini with a new dynamic collection.

Creating a dynamic collection with file scanner results

Here’s a quick example of how to create a dynamic collection that uses file scanner results as filters.

With this dynamic collection, we should be able to identify any affected machines.

As part of a test of my scanner and collection, I manually created a test file C:\users\reg\idx.ini to demo the logic.

Wrapping Up

That’s it? That’s it.

I hope this info has been helpful to anybody out there. Good luck to everybody that’s been caught up in this mess!

Cheers!

Try PDQ Deploy


4 responses

Your email address will not be published.

Your Name

This site uses Akismet to reduce spam. Learn how your comment data is processed.