SYMBOLCOMMON_NAMEaka. SYNONYMS

Operation ShadowHammer  (Back to overview)


Newly discovered supply chain attack that leveraged ASUS Live Update software. The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.


Associated Families
win.shadowhammer

References
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-03-27One Night in NorfolkKevin Perlow
@online{perlow:20200327:first:6b7c827, author = {Kevin Perlow}, title = {{The First Stage of ShadowHammer}}, date = {2020-03-27}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/the-first-stage-of-shadowhammer/}, language = {English}, urldate = {2020-05-19} } The First Stage of ShadowHammer
shadowhammer
2020-03-03PWC UKPWC UK
@techreport{uk:20200303:cyber:1f1eef0, author = {PWC UK}, title = {{Cyber Threats 2019:A Year in Retrospect}}, date = {2020-03-03}, institution = {PWC UK}, url = {https://www.pwc.co.uk/cyber-security/assets/cyber-threats-2019-retrospect.pdf}, language = {English}, urldate = {2020-03-03} } Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
@techreport{mlveill:20191007:connecting:e59d4c8, author = {Marc-Etienne M.Léveillé and Mathieu Tartare}, title = {{CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group}}, date = {2019-10-07}, institution = {ESET Research}, url = {https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Winnti.pdf}, language = {English}, urldate = {2020-01-10} } CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
2019-05-20YouTubeKaspersky
@online{kaspersky:20190520:video:148e81f, author = {Kaspersky}, title = {{Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019}}, date = {2019-05-20}, organization = {YouTube}, url = {https://www.youtube.com/watch?v=T5wPwvLrBYU}, language = {English}, urldate = {2020-01-08} } Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019
shadowhammer
2019-04-23Kaspersky LabsGReAT, AMR
@online{great:20190423:operation:20b8f83, author = {GReAT and AMR}, title = {{Operation ShadowHammer: a high-profile supply chain attack}}, date = {2019-04-23}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer-a-high-profile-supply-chain-attack/90380/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2019-04-22Trend MicroMohamad Mokbel
@online{mokbel:20190422:cc:23b1202, author = {Mohamad Mokbel}, title = {{C/C++ Runtime Library Code Tampering in Supply Chain}}, date = {2019-04-22}, organization = {Trend Micro}, url = {https://www.trendmicro.com/en_us/research/19/d/analyzing-c-c-runtime-library-code-tampering-in-software-supply-chain-attacks.html}, language = {English}, urldate = {2021-09-19} } C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti
2019-04-03One Night in NorfolkKevin Perlow
@online{perlow:20190403:possible:0a08c3a, author = {Kevin Perlow}, title = {{Possible ShadowHammer Targeting (Low Confidence)}}, date = {2019-04-03}, organization = {One Night in Norfolk}, url = {https://norfolkinfosec.com/possible-shadowhammer-targeting-low-confidence/}, language = {English}, urldate = {2020-05-19} } Possible ShadowHammer Targeting (Low Confidence)
shadowhammer
2019-03-29F-SecureBert Steppe
@online{steppe:20190329:hammer:44fb72d, author = {Bert Steppe}, title = {{A Hammer Lurking In The Shadows}}, date = {2019-03-29}, organization = {F-Secure}, url = {https://blog.f-secure.com/a-hammer-lurking-in-the-shadows/}, language = {English}, urldate = {2020-11-04} } A Hammer Lurking In The Shadows
shadowhammer
2019-03-28Vitali Kremez BlogVitali Kremez
@online{kremez:20190328:lets:9a07122, author = {Vitali Kremez}, title = {{Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess}}, date = {2019-03-28}, organization = {Vitali Kremez Blog}, url = {https://www.vkremez.com/2019/03/lets-learn-dissecting-operation.html}, language = {English}, urldate = {2020-01-10} } Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess
shadowhammer
2019-03-28Skylight CyberSkylight Cyber
@online{cyber:20190328:unleash:f5f7048, author = {Skylight Cyber}, title = {{Unleash The Hash - ShadowHammer MAC Address List}}, date = {2019-03-28}, organization = {Skylight Cyber}, url = {https://skylightcyber.com/2019/03/28/unleash-the-hash-shadowhammer-mac-list/}, language = {English}, urldate = {2019-10-23} } Unleash The Hash - ShadowHammer MAC Address List
shadowhammer
2019-03-28F-SecureF-Secure Global
@online{global:20190328:analysis:8b788ab, author = {F-Secure Global}, title = {{Analysis of ShadowHammer ASUS Attack First Stage Payload}}, date = {2019-03-28}, organization = {F-Secure}, url = {https://countercept.com/blog/analysis-shadowhammer-asus-attack-first-stage-payload/}, language = {English}, urldate = {2020-01-08} } Analysis of ShadowHammer ASUS Attack First Stage Payload
shadowhammer
2019-03-27mauronz blogmauronz
@online{mauronz:20190327:analysis:99db548, author = {mauronz}, title = {{Analysis of the ShadowHammer backdoor}}, date = {2019-03-27}, organization = {mauronz blog}, url = {https://mauronz.github.io/shadowhammer-backdoor}, language = {English}, urldate = {2020-01-06} } Analysis of the ShadowHammer backdoor
shadowhammer
2019-03-27ReversingLabsTomislav Pericin
@online{pericin:20190327:forging:a9c71d8, author = {Tomislav Pericin}, title = {{Forging the ShadowHammer}}, date = {2019-03-27}, organization = {ReversingLabs}, url = {https://blog.reversinglabs.com/blog/forging-the-shadowhammer}, language = {English}, urldate = {2020-01-06} } Forging the ShadowHammer
shadowhammer
2019-03-25Kaspersky LabsGReAT, AMR
@online{great:20190325:operation:c4bf341, author = {GReAT and AMR}, title = {{Operation ShadowHammer}}, date = {2019-03-25}, organization = {Kaspersky Labs}, url = {https://securelist.com/operation-shadowhammer/89992/}, language = {English}, urldate = {2019-12-20} } Operation ShadowHammer
shadowhammer Operation ShadowHammer

Credits: MISP Project