ASUS Live Update Utility: A new know more persistent threat (APT) που ανιχνεύτηκε από την Kaspersky Lab τον Ιανουάριο του 2019 φαίνεται να τρέχει από τον Ιούνιο έως τον Νοέμβριο του 2018.
The threat is reported to have affected more than one million users who have downloaded data from ASUS Live Update Utility on their computers.
Η team Global enviroment Research and Analysis (GReAT) της Kaspersky Lab ονόμασε αυτή την κακόβουλη καμπάνια Operation ShadowHammer και όπως ανέφερε αρχικά ο Kim Zetter, οδήγησε στην λήψη και εγκατάσταση δεδομένων από μια backdoored έκδοση του ASUS Live Update πάνω από 57.000 χρήστες που χρησιμοποιούν products Kaspersky (on ASUS computers of course).
While Kaspersky was able to stop most downloads from the trojanized ASUS Live Update, the company's research team estimates that over one million users are infected.
According to GReAT:
ASUS Live Update is a utility that comes pre-installed on most ASUS computers. Used to automatically update certain items such as BIOS, UEFI, drivers and applications
And it continues:
According to Gartner, ASUS was the world's fifth largest computer company as of 2017. This makes the company a highly attractive target for APT groups who may want to take advantage of their user base.
According to GReAT, there were multiple versions of infected files in the ASUS Live Update that were shared, targeting "unknown groups of users identified by MAC addresses."
Attackers behind ShadowHammer have used a hardcoded list of MAC addresses to target the distribution of malicious software. Kaspersky managed to gather more than 600 MAC addresses from 200 malware samples used in this attack.
Kaspersky's researchers also found that the infected Live Update was digitally signed with "ASUSTeK Computer Inc." legal certificates. certificates hosted on the official (liveupdate01s.asus [.] com and liveupdate01.asus [.] com) update servers of ASUS.
If you're worried about your Asus computer, Kaspersky released one offline application and an online web checkerto check if your systems have been dropped by Operation ShadowHammer.
For testing, we compare your MAC address with the list of hardcoded addresses we discovered in malware.
___________________
- Windows 10 build 18362 on the Slow Ring as a RTM candidate
- Focus Mode by Google: what it is and how to turn it on
- TEDx University of Crete Saturday 6 April 2019