Hackers hijacked ASUS update server to distribute backdoors on ASUS machines

Hackers in 2018 managed to compromise one of the ASUS’s servers used to provide software updates to ASUS machines and used it to distribute a malicious backdoor to unsuspecting Windows machines.

The attack, which has been given the name ShadowHammer was discovered late last year and has since been stopped.

With access to the update server, the attackers were able to distribute malicious files that appeared legitimate because they were given an ASUS digital certificate to make them appear to be authentic. Instead, the phony software updates gave the attackers a backdoor to access infected devices. Kaspersky estimates that about half a million Windows machines received the backdoor from ASUS’ update server. However, the attackers appear to have only been targeting about 600 systems. The malware was designed to search for machines by their MAC address.

Kaspersky said over 57,000 of its users have downloaded and installed the backdoored version of Asus Live Update but the issue may possibly affect over a million users worldwide.

asus-ShadowHammer

Kaspersky said the attack managed to fly under the radar for so long due to the fact that the trojanized updater was signed using legitimate certificates from Asus. As such, nobody ever suspected anything was amiss.

Kaspersky created a tool that can determine if your computer was specifically targeted in the attack by comparing MAC addresses.