How Hackers Turned a Friend to a Foe - An Investigation into the ShadowHammer Operation
SynopsisA sophisticated operation known as ShadowHammer was discovered in 2018 .The adversary involved in the ShadowHammer operation was able to compromise a computer vendor’s software update tool and modified it into a trojan downloader. This allowed the adversary to leverage people’s trust of the computer vendor’s brand to get a global audience to freely install the trojanized tool. What is interesting is that for the vast majority of infected systems, the trojanized tool remained dormant. This is because the ShadowHammer operation is a form of supply chain attack. In a supply chain attack, the adversary finds a supplier used by the target that is easier to exploit then the target themselves. The adversary attacks the supplier and uses them to gain access to the target. According to Symantec supply chain attacks have increased by 78% in 2018 .
This report will provide an overview of the ShadowHammer operation and provide recommendations for organizations to prevent future supply chain attacks.
It’s Hammer TimeOn March 25, 2019, cybersecurity and antivirus provider Kaspersky publicly disclose the discovery of a trojanized update tool found on ASUS Live Update servers. Hackers were able to replace a legitimate version of the ASUS Live Update tool with a trojanized version that not only matched in file size, but also was signed with a legitimate ASUS certificate making the trojanized tool very difficult to detect. Between June and November 2018  it is estimated that 500,000  to 1 million laptops  had installed the trojanized ASUS Live Update tool.
ASUS put out a response the following day categorizing the attack at being performed by an Advanced Persistent Threat (APT) group targeting organizations and individual consumers were at low risk of malicious intent. ASUS also indicated that the trojanized ASUS Live Update tool only affected ASUS laptops and had been removed from their servers and countermeasures put in place .
Although ASUS was a victim of the attack they were only an intermediary target and not the end target. ASUS was effectively used as a delivery agent to 600 targeted laptops. Only machines with a matching MAC address would access the command and control (C2) channel to download additional malware .
Who was ShadowHammer Trying to Nail?For obvious reasons ASUS did not disclose what organization or organizations were targeted. Nor did any organization publicly come forward to claim that were the target of the operation.
Kaspersky reports that for some targeted laptops a second MAC address is checked to determine the presence of a specific version of VMWare software for Windows while others laptops checked for the presence of a Huawei model E3372h USB 3G modem .
Skylight Cyber reversed engineered Kaspersky’s offline ShadowHammer detection tool and extracted the MAC address list . The MAC address list shows no continuous series of MAC addresses that would indicate a guess and test approach on the target’s MAC address.
Instead these two findings indicate that the adversary knows more about the target, then simply the use of ASUS laptops. The adversary appears to know what tools the target users use and have methods to obtain the precise MAC address of the laptops of interest.
The MAC address of a laptop is not something that is trivial to obtain as it is usually only shared with network infrastructure such as a router or switch. Therefore it is probable that the adversary had access to the target organization’s asset inventory or network access logs.
How Good of a Hammer is ShadowHammer?It is publicly unknown how the ShadowHammer operatives had the ability to upload and replace versions of the trojanized tool on official ASUS servers that hosted the http://liveupdate1.asus.com and https://liveupdate1s.asus.com domains.
Two major variants of a legitimate March 2015 version of the ASUS Live Update tool were created. In early variants circulated from June to September, the WinMain function was modified to load and execute a malicious shellcode as the application started up . To increase stealthiness, later variants obfuscated the malicious shellcode and the decoding and execution of the malicious shellcode occurred only upon the completion of the legitimate functionality and exiting of the application. 
What further elevates the skill and sophistication of the ShadowHammer operatives is that they ensured the file size of the trojanized tool matched that of the legitimate file and somehow also had the ability to sign the trojanized tool with an official ASUS certificate. The level of attention to detail and unusual access to authentication tools and server infrastructure allowed them to remain undetected for months by ASUS and the public.
The Building of ShadowHammerThe publicly available details of the ShadowHammer operation are limited. What is certain about the adversary behind the ShadowHammer operation is:
- 500,000 to 1 million laptops installed the trojanized software update tool. There are no reports that any of these laptops were exploited for monetary gains
- They had the ability to upload files to official ASUS servers
- They had the ability to sign files with an official ASUS certificate
- They registered the asushotfix[.]com domain on May 5, 2018. The IP address of 141.105.71[.]116 located in Russia  was assigned to this domain. This domain was used as the communication channel for command and control (C2)
Diagram 1: Diamond Model - Activity-Attack Graph
Table 1: Activity Thread Event Descriptions
Table 2: Activity Thread Arc Descriptions
Who Wields the ShadowHammer?The people behind the ShadowHammer operation are not your run of the mill hackers. They are a highly skilled and organized group. Exact attribution is difficult but Kaspersky’s noted three other cybersecurity attacks that has similar attack patterns and coding signatures . One of these similar attacks is the ShadowPad operation discovered in 2017.
ESET released a report in October 2019 that indicated their analysis also yielded strong similarities and connections between the adversaries behind ShadowPad and ShadowHammer. ESET attributes both attacks to the Winnti group . ESET speculates that Winnti is not one unified group but a collection of factions.
Microsoft Threat Intelligence (MTI), has a slightly different interpretation and associates Winnti with the “collections of malware, supporting infrastructure, online personas, victimology, and other attack artifacts”  used by an activity group. MTI doesn’t consider Winnti an actual group but a classification of an activity group.
Microsoft identifies the Barium group as part of Winnti. Microsoft’s profile of the Barium group is that it “begins its attacks by cultivating relationships with potential victims—particularly those working in Business Development or Human Resources—on various social media platforms.”  A majority of Barium’s victims are in the electronic gaming, multimedia, and Internet content industries. The Barium group seems like a potential candidate as the adversary behind the ShadowHammer operation.
Diagram 2: Winnti operations and exploits 
What are the Lessons?Cybersecurity is an ever increasing arms race. As organizations increase their cybersecurity prowess, attackers are finding more sophisticated ways to achieve their objectives.
In the case of the ShadowHammer operation, Kaspersky privately disclosed its findings to ASUS in January 2019. ASUS had a Vulnerability Disclosure Policy in place  and they responded swiftly to address the matter. ASUS may have already been aware of the issue as installations of the trojanized tool ceased after November 2018. Kaspersky noted that ASUS continued to used the compromised certificate to sign other applications a month after the private notification and Kaspersky notified ASUS of this finding. This finding indicates that either ASUS security team could be trained better or that they were aware of it being an issue but the organization did not appropriately prioritize or escalate the decommissioning of the certificate.
There are no reports on the cost borne by ASUS in dealing with the ShadowHammer operation. In 2017, Microsoft filed a federal complaint against the Barium group. In the filing  Microsoft states that dealing with a single Barium intrusion had an average cost of $250,000 to $1.3 million. “This does not include the cost of new architecture, intrusion prevention devices, network security changes to prevent future intrusions, or the damage caused by having sensitive information stolen.” 
For organizations there are some key takeaways:
- Keep track of where and who have access to digital certificates used to authenticate your products
- Consider a dedicated Chief Information Security Officer (CISO) who has executive authority and budget to execute reactive and proactive cybersecurity initiatives
- Have a Vulnerability Disclosure Policy (VDP) in place along with well documented external process to report vulnerabilities and internal procedures to facilitate and escalate reported vulnerabilities
- Begin to or continue to educate non-IT staff on new cybersecurity threats and how to identify and report them
- Develop a plan on actionable steps towards a Zero-Trust network model
Can Hammer Production Be Stopped?Obviously an affected organization is going to take defensive measures to neutralize the attack and mitigate the threat within their organization. But collective support options are currently limited for organizations who want to take an offensive strategy and takedown these groups instead of letting them persist?
In this sense taking action against cybercrime is akin to taking action against climate change. It isn’t one organization’s responsibility to takedown all cybercriminals, nor is it the responsibility of one nation. It is a global collective endeavour that every organization and nation should undertake. But that’s the crux of the problem, governance complexities and challenges increases exponentially as scope increases from an organization to an industry, an industry to a nation, a nation to globally.
Cybercriminals are finding creative ways to achieve their objectives. Cybercrime, like cyberspace is not bounded by organizational, industrial, or national boundaries. The leaders of organizations, industries, and nations need to find equally creative ways to collaborate and work together to fight back against cybercrime.
 GReAT and Amr. “Operation ShadowHammer: A High Profile Supply Chain Attack.” Securelist, April 23, 2019. https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/
 “Check if your device has been targeted by the ShadowHammer cyberattack.” Kaspersky, https://shadowhammer.kaspersky.com/
 “ShadowHammer: Malicious updates for ASUS laptops.” Kaspersky Daily, March 25, 2019. https://www.kaspersky.com/blog/shadow-hammer-teaser/26149/
 “ASUS Software Updates Used for Supply Chain Attacks.” Symantec Blogs / Threat Intelligence, March 25, 2019. https://www.symantec.com/blogs/threat-intelligence/asus-supply-chain-attack
 “Internet Security Threat Report.“ Symantec, February 2019, https://www.symantec.com/content/dam/symantec/docs/reports/istr-24-2019-en.pdf
 “Unleash The Hash.” Skylight, March 28, 2019. https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/
 Paganini, Pierluigi. “Experts released the List of ~600 MAC addresses hit in ASUS hack.” Security Affairs, March 31, 2019. https://securityaffairs.co/wordpress/83116/hacking/operation-shadowhammer-mac-addresses.html
 Zetter, “Kim. Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers.“ Vice, March 25, 2019. https://www.vice.com/en_us/article/pan9wn/hackers-hijacked-asus-software-updates-to-install-backdoors-on-thousands-of-computers
 “Analysis of ShadowHammer ASUS Attack First Stage Payload.” F-Secure Blog, March 28, 2019. https://blog.f-secure.com/analysis-shadowhammer-asus-attack-first-stage-payload/
 M.Léveillé, Marc-Etienne and Tartare, Mathieu. “CONNECTING
THE DOTS. Exposing the arsenal and methods of the Winnti Group.” ESET, October 2019. https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf
 “ASUS Product Security Advisory.” ASUS, https://www.asus.com/Static_WebPage/ASUS-Product-Security-Advisory/
 “Detecting threat actors in recent German industrial attacks with Windows Defender ATP.” Microsoft, January 25, 2017. https://www.microsoft.com/security/blog/2017/01/25/detecting-threat-actors-in-recent-german-industrial-attacks-with-windows-defender-atp/
 Staples, Daniel W. “Microsoft Asks Judge to Take Down Barium Hackers.” Court House New Service, November 2, 2017. https://www.courthousenews.com/microsoft-asks-judge-take-barium-hackers/
 “MICROSOFT CORPORATION, a Washington corporation, Plaintiff, V. JOHN DOES 1-2, CONTROLLING A COMPUTER NETWORK AND THEREBY INJURING PLAINTIFF AND ITS CUSTOMERS, Defendants.” October 26, 2017.https://www.courthousenews.com/wp-content/uploads/2017/11/barium.pdf