ASUS in-box software for notebooks and desktops was compromised to deliver malware

Yesterday there were unconfirmed reports from Reddit and a Motherboard editor that ASUS, one of the world’s biggest laptop vendors by volume, had been compromised in an attack on their servers that seeded updates to customers using the Live Update software. The reports claimed that ASUS’ software was being used to seed malware to unsuspecting users, as it looked like the updates were legitimate and were indeed downloaded straight off of the servers. ASUS verified these claims late yesterday evening, and has urged consumers to remove and/or update the Live Update software for the moment while they fix the problem.

In a press release about the incident, ASUS blamed the malware infections and server hacks on state-sponsored hacking groups, or Advanced Persistent Thread (APT) groups. The press release states:

ASUS Live Update is a proprietary tool supplied with ASUS notebook computers to ensure that the system always benefits from the latest drivers and firmware from ASUS. A small number of devices have been implanted with malicious code through a sophisticated attack on our Live Update servers in an attempt to target a very small and specific user group. ASUS customer service has been reaching out to affected users and providing assistance to ensure that the security risks are removed.

ASUS goes on to say that they have seeded a new version of Live Update (version 3.6.8) for consumers that implements new security measures, including “multiple security verification mechanisms to prevent any malicious manipulation”, and “an enhanced end-to-end encryption mechanism”.

Prior to the update, testing by Kaspersky Labs revealed that the attackers had been active in seeding the malware through ASUS’ service for more than eight months, starting with an attack in July 2018. The APT responsible was able to compromise a Live Update server and seed different versions of malware intended to be used by specific targets. The attackers hard-coded several hundred MAC addresses into their software, primarily targeting users in Russia, Germany, and France.

It’s not clear who the targets were, but at least the danger is far enough away for most users who were using Live Update on their laptop or desktop. If you run a product with an ASUS motherboard inside, check your MAC address against the list of known targets here.

Kaspersky also notes that they discovered over 57,000 infections via Live Update among their users, though they could not determine which users had been intentionally targeted. It looks like the widespread nature of the infection was intended as a smokescreen to hide which targets the APT had in mind. The attack was codenamed ShadowHammer by Kaspersky, and may be related to an earlier attack in 2017 that may have been run by the same APT group, but with different targets.

It was also difficult to detect the attack as the APT group had succeeded in not just compromising the update server, but were also able to grab a copy of ASUS’ digital certificate to sign their software with, so any installation of malware would appear to be from a legitimate source.

If you’re wondering about your own security, it is advised to run ASUS’ free tool to check to see if you were infected, and to uninstall Live Update and replace it with a clean installation of the latest version. Updating your antivirus software and setting it to scan your drive is also a good idea. Windows users will probably see it being automatically removed via the malicious software removal tool in the coming days and weeks.

If you have been infected, and worry for your safety, a clean installation of Windows and re-flashing the BIOS from ASUS’ website is recommended.

Last Updated: March 27, 2019