ShadowHammer: ASUS software updates exploited to distribute malware

ASUS Software Updates Exploited to Distribute Malware

The victims of ShadowHammer malware attack are Windows users.

Kaspersky Lab researchers have made a startling new revelation that the world’s leading computer maker ASUS’s live software update system was compromised by cybercriminals to install a backdoor, which affected ASUS customers.

The attack occurred in 2018 and according to Kaspersky Lab, the attackers compromised the legitimate digital certificates of ASUS to make the malicious file look genuine software update rolled out by the computer maker.

See: Lenovo to pay $7.3m for installing adware in 750,000 laptops

In the malicious software update, nearly half a million Windows computers were affected that was distributed via ASUS servers. Motherboard was the first one to break the news while Kaspersky Lab firstly identified the backdoored software.

ASUS Software Updates Exploited to Distribute Malware

As per the analysis of Kaspersky Lab’s researchers, the malicious update scans a device for its unique MAC address and an associated C&C server pushes the payload, but how is it delivered to the victims or why the hackers installed the backdoor is yet unknown.

Reportedly, the hackers aimed to target ASUS customers since the malware included instructions about 600 systems that were identified by their specific MAC addresses. After detecting the systems the malicious software update installs additional malware to spread the infection on the compromised system.

The attack has been dubbed ShadowHammer by Kaspersky Lab. Such tactics are generally used by nation-states to carry out espionage campaigns such as the notorious Stuxnet that was widely distributed but didn’t cause much harm to the compromised machines.

According to Kaspersky Labs, about 57,000 people using its security software already have the malware installed while Symantec told Motherboard that 13,000 of its customers have their machines infected with the malware.

In total, there might be hundreds of thousands of machines infected by now because by hacking the software update system, hackers can perform wide-range of attacks on the affected computers. Symantec’s official spokesperson Jennifer Duffourg stated that it was a software supply chain attack and added that:

“Our findings suggest the trojanized version of the software were sent to Asus customers between June and October.”

Since supply chain attacks directly infiltrate or target a company, therefore, such attacks are hard to detect immediately unless the company has excellent security systems in place. Motherboard also noted that the fake certificates are active and haven’t been revoked till now, which means ASUS customers are still vulnerable to the attack.

See: New backdoor malware hits Slack and Github platforms

It is worth noting that the backdoor is quite similar to the one used in CCleaner attack since both use the same code-signing certificate that can hide any malicious component. The issue was reported by Kaspersky Labs on January 31. The Asia-Pacific director of Kaspersky Labs, Vitaly Kamluk stated that:

“This attack shows that the trust model we are using based on known vendor names and validation of digital signatures cannot guarantee that you are safe from malware.”

ASUS is yet to notify customers about the infected software update and hasn’t taken any action so far to prevent the malware from being distributed any further. The company has denied that its servers were used to distribute the malware.


ASUS has now released a new version of Live Update software for laptops to fix the ShadowHammer backdoor attack. ASUS has also created an online security diagnostic tool to check for affected systems which can be found here. For more, visit ASUS’s blog post.

Did you enjoy reading this article? Like our page on Facebook and follow us on Twitter.

Related Posts