In March, we published the results of our investigation into a sophisticated supply-chain attack involving the ASUS Live Update Utility, used to deliver BIOS, UEFI and software updates to ASUS laptops and desktops. The attackers added a backdoor to the utility and then distributed it to users through official channels.
ASUS was not the only company used by the attackers. Other targets included several gaming companies, a conglomerate holding company and a pharmaceutical company – all located in South Korea. Either the attackers had access to the source code of the victims’ projects or they injected malware at the time of project compilation – indicating that they had already compromised the networks of those companies.
Our analysis of the sophisticated backdoor deployed by the attackers revealed that it was an updated version of the ShadowPad backdoor used in supply-chain attacks that we reported in 2017. The newly updated version used by ShadowHammer follows the same principle as before. The backdoor unwraps multiple stages of code before activating a system of plugins responsible for bootstrapping the main malicious functionality. The attackers used at least two stages of C2 servers, where the first stage would provide the backdoor with an encrypted next-stage C2 domain. We also found that ShadowHammer reused algorithms used in multiple malware samples, including PlugX – a backdoor that is quite popular among Chinese-speaking hacker groups.
Source: Kaspersky Lab