ShadowHammer
ShadowHammer is a backdoor Trojan that its threat actors are distributing in hijacked ASUS software updates, with an emphasis on specific entities using notebook systems. Users can run a variety of specialized tools for determining a possible infection and should install all relevant ASUS security patches immediately. Besides removing ShadowHammer with appropriate anti-malware tools and installing patches, victims should consider changing login credentials for keeping remote attackers from taking advantage of any information that ShadowHammer help with collecting.
The Hammer is Dropping from Where You're not Looking
A group of threat actors is turning ASUS update-delivering servers into vehicles for dropping Trojans successfully, instead of the usual patches. The estimates from different members of the PC security industry place the low end of infected machines at over fifty thousand, with a potential of up to roughly one million users being affected. As usual, this sophisticated attack is the focal point for delivering a backdoor Trojan by the name of ShadowHammer that grants access for threats with narrower payloads than itself.
ASUS is claiming that only notebook PC users are affected, although a similar method of attack could infect nearly any users downloading fake 'updates' from the previously-compromised server architecture. While malware researchers only can estimate at ShadowHammer's full set of features, it may be useful for disabling network security features, collecting credentials like passwords or dropping additional threats onto the computer. Whether ShadowHammer's authors intend on profit or state-sponsored sabotage isn't known.
What is verifiable about ShadowHammer is its use of network adapter-based MAC address filtering. This feature checks the system against a hard-coded list of values, which severely slashes the scope of its targets during the installation process. However, the only initial 'mistake' for enabling the Trojan's installation is running the default ASUS Live Update Utility without the latest patch, which makes ShadowHammer's future applications much more flexible than its current campaign constraints.
Turning a Harsh Blow into Just a Shadow of a Problem
Users believing themselves at risk from ShadowHammer's campaign or already infected can take advantage of both ASUS and Kaspersky freeware tools for detecting infections and preventing future ones. Kaspersky offers a Web service for double-checking your network adapter's MAC address against ShadowHammer's list, which supplements the detection application by ASUS. Fortunately, the computer and phone manufacturer has corrected the flaws in their server architecture that allowed for ShadowHammer's distribution as of Live Update version 3.6.8.
The risks of backdoor Trojan-based attacks include loss of confidential information, including login and admin credentials, like the Globe Ransomware, and the arbitrary deletion or disabling of critical security and repair features like the Shadow Volume Copies. The observable symptoms of any backdoor Trojan are limited, and most users should have their anti-malware solutions find and uninstall ShadowHammer, when appropriate.
The ShadowHammer attacks are a wakeup call for at least one hardware company and show off a less-than-usual example of when the ultimate victim of an attack isn't at fault for the lapse in security. This fact is, however, cold comfort to any organizations who may end up suffering damages, just from downloading an update from a supposedly reliable source.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.