Operation ShadowHammer (Threat Actor)

SYMBOL	COMMON_NAME	aka. SYNONYMS

Operation ShadowHammer (Back to overview)

Newly discovered supply chain attack that leveraged ASUS Live Update software. The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.

Associated Families

win.shadowhammer

References

2020-07-29 ⋅ Kaspersky Labs ⋅ GReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel

2020-03-27 ⋅ One Night in Norfolk ⋅ Kevin Perlow
The First Stage of ShadowHammer
shadowhammer

2020-03-03 ⋅ PWC UK ⋅ PWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle

2019-10-07 ⋅ ESET Research ⋅ Marc-Etienne M.Léveillé, Mathieu Tartare
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad

2019-05-20 ⋅ YouTube ⋅ Kaspersky
Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019
shadowhammer

2019-04-23 ⋅ Kaspersky Labs ⋅ AMR, GReAT
Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad

2019-04-22 ⋅ Trend Micro ⋅ Mohamad Mokbel
C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti

2019-04-03 ⋅ One Night in Norfolk ⋅ Kevin Perlow
Possible ShadowHammer Targeting (Low Confidence)
shadowhammer

2019-03-29 ⋅ F-Secure ⋅ Bert Steppe
A Hammer Lurking In The Shadows
shadowhammer

2019-03-28 ⋅ F-Secure ⋅ F-Secure Global
Analysis of ShadowHammer ASUS Attack First Stage Payload
shadowhammer

2019-03-28 ⋅ Vitali Kremez Blog ⋅ Vitali Kremez
Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess
shadowhammer

2019-03-28 ⋅ Skylight Cyber ⋅ Skylight Cyber
Unleash The Hash - ShadowHammer MAC Address List
shadowhammer

2019-03-27 ⋅ mauronz blog ⋅ mauronz
Analysis of the ShadowHammer backdoor
shadowhammer

2019-03-27 ⋅ ReversingLabs ⋅ Tomislav Pericin
Forging the ShadowHammer
shadowhammer

2019-03-25 ⋅ Kaspersky Labs ⋅ AMR, GReAT
Operation ShadowHammer
shadowhammer Operation ShadowHammer

Credits: MISP Project