Operation ShadowHammer Exploited Weaknesses in the Software Pipeline

Kaspersky security researchers described how hackers used software updates to push malware onto victims’ computers

When security researchers at Kaspersky Lab  disclosed Operation ShadowHammer in March, they described how attackers tampered with software updates from PC-maker ASUSTeK Computer to install malware on victims’ computers. Now, new details revealed last week indicate the operation was even more insidious—it sabotaged developer tools, an approach that could spread malware much faster and more discreetly than conventional methods.

In ShadowHammer, a sophisticated group of attackers modified an old version of the ASUS Live Update Utility software and pushed out the tampered copy to ASUS computers around the world, said Kaspersky Lab. The Live Update Utility, which comes preinstalled in most new ASUS computers, automatically updates the set of firmware instructions that control the computer’s input and output operations, hardware drivers, and applications. The modified tool, signed with legitimate ASUSTeK certificates and stored on official servers, looked like the real thing. But once it was planted, it gave the attackers the ability to control the computer through a remote server and install additional malware.

ShadowHammer is an “example of how sophisticated and dangerous a smart supply chain attack can be,” said Vitaly Kamluk, Kaspersky’s director of the global research and analysis team.

ASUSTeK wasn’t ShadowHammer’s only victim. Attackers also targeted at least three gaming companies based in Asia through a similar method, Kaspersky researchers found. Instead of subverting software updates, though, the attackers made a one-line change to their targets’ integrated development environment (IDE), a software program that developers use to write code. The effect was that whenever Microsoft Visual Studio compiled code with a specific Microsoft-owned library, the IDE used a similarly named library file instead.

Compilers and development platforms are at the core of the software supply chain, said Noushin Shabab, the Kaspersky senior security analyst who reverse-engineered the ShadowHammer malware. One infected compiler on a few developers’ machines can result in thousands of Trojanized software applications installed on millions of end-user computers.

“It’s a poisonous seed. Plant your poisonous seed in a safe place, and it will turn into the poisonous tree with fruit,” Shabab said.

Since the compiler pulls in relevant pieces of code from linked libraries and other components, using the tampered library meant code the developer did not intend to include was added to the application. A source code review won’t find the issue because the problem isn’t anywhere in the original code and the developer doesn’t know about the alternate library.

“When your compiler lies to you, your product always contains a backdoor, no matter what the source code is,” Kamluk said.

Kaspersky researchers found clues suggesting a group called Barium was behind both sets of attacks. Barium is known for a style of attack called “advanced persistent threat” which infects a computer or network and then lays undetected for a period of time. The group was previously linked to 2017’s ShadowPad attack, which compromised an update feature in server management software provided by the Korean firm NetSarang to install a backdoor on associated machines. One of the affected gaming companies in the ShadowHammer attack used NetSarang’s Windows X-server management software, Kamluk said. [READ MORE]