Possible ShadowHammer Targeting (Low Confidence)

Update: The conclusions drawn below are likely incorrect (or, at the least, presented incorrectly). The post will remain up to preserve the data collected and in case additional OSINT information becomes available.
——–

Last week, this blog examined the first stage of an infection chain deployed through a supply chain attack. The malware involved in this phase of the infection chain performed an MD5 hash of infected devices’ MAC addresses and compared them to MD5s in a hardcoded database. If a match was found, the malware called out to a hardcoded C2. Since then, multiple researchers have cracked these hashes and generated the underlying plaintext MACs.

The objectives of this supply chain attack remain unknown; however, this blog has identified one (low-confidence) possibility by comparing the plaintext MAC addresses with the Wigle database, a publicly available network data repository: The MAC addresses involved may be associated with industrial processes, logistics, and technology.

The supporting data for this assessment is below, and this blog emphasizes that these are low-confidence findings based on a limited dataset; should more specific targeting and victimology become available, this post will be revised (with the original content remaining intact for retrospective analysis).

Read more

The First Stage of ShadowHammer

On 25 March, Kaspersky researchers published details of a supply chain compromise involving ASUS, a Taiwan-based computer manufacturer. As part of this compromise, a threat actor pushed malicious code to victims who connected to the company’s servers using the ASUS Live Update feature used to deliver drivers and other updates (this blog notes that such update platforms are common across all manufacturers).

The malicious code in question is a first-stage triage tool, and details of the second-stage code have not yet been uncovered. This post documents this first-stage functionality of one of the identified variants, which compares the victim’s MAC address to a hardcoded list prior to communicating with a C2.

Read more