Thousands of Asus computer users were sent malware from a trusted source – the official Asus updater.
The attack was described by Asus as an Advanced Persistent Threat, of the type “usually initiated by a couple of specific countries, targeting certain international organizations or entities.”
The multi-faceted attack included a number of features including the hack of an Asus server, misused digital certificates, automatic update systems, and a targeted list of victims.
“The cybercriminals utilized weaknesses in the Asus supply chain and digital certificate system and did what one could call ‘spear-hacking’ attack,” said Alexander Vukcevic, head of the Avira Protection Lab. “Weaponizing a popular software with a Trojan is an effective approach as this software is usually considered trustworthy. This makes it all the more important for vendors to secure their processes and servers.”
Just the update facts
The attack began with the hack of the Asus server for distributing software updates. The cybercriminals created their own bogus update that included a backdoor that gave them a direct step into the hacked device. This was then labeled as a “critical” software update, given a real Asus certificate to make it look valid and authentic, and distributed by the Asus servers over a period of about 5 months in 2018.
Many were sent, some installed it
The success rate for the bogus update looked like the traditional sales funnel: Early estimates are that it was sent to over a million devices and several hundred thousand devices are believed to have actually installed it. “So far at Avira, we’ve seen more than 438 thousand executions of the initial installer by Asus customers,” stated Vukcevic. “The second stage shellcode will be executed by the installer in memory. We’ve found two different version of the trojanized installer. The first one contains unencrypted payload and modified the WinMain code to copy the shellcode from the EXE rsrc area into a newly allocated memory block and directly executes it there. The second one has the payload encrypted and decrypts it with a code block called from the modified __crtExitProcess runtime function before terminating the installer. Again, the shellcode is only executed in memory.
Were only 600 chosen?
The most interesting part of this story is that out of the hundreds of thousands of estimated infected devices, only a few hundred were targeted for additional malware. The initial installer identified these computers by their MAC address, the device identification number for each device. Once it had successfully fingered these devices, it reached out to a command and control center for an additional, second stage dose of malware for them.
Avira research has shown that the list was small, but that this list also changed with various renditions of the malware. “The June 12 binary only contains a very short list of MAC addresses, but there were updates to the malware binary that continued to receive more MAC numbers every time,” added Vukcevic:
This supports the scenario that the attackers’ goal was to get into specific victims’ devices on an “as needed” basis – not to widely distribute malware and monetize their work via bank fraud of a ransomware attack.
Back on the supply chain gang
The Asus debacle is also considered a supply-chain issue where something malicious is added to a device either during the manufacturing or the updating process. Asus is certainly not the first manufacturer or developer to deliver a malicious update to users. In 2017, CCleaner was hacked and a bogus update used to distribute malware to well over a million devices. In both attacks, the cybercriminals misused valid certificates to conceal their wares. In addition, NotPetya was distributed in an accounting software update.