Operation ShadowHammer  (Back to overview)

Newly discovered supply chain attack that leveraged ASUS Live Update software. The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation. We were able to extract more than 600 unique MAC addresses from over 200 samples used in this attack. Of course, there might be other samples out there with different MAC addresses in their list.

Associated Families

2020-07-29Kaspersky LabsGReAT
APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-03-27One Night in NorfolkKevin Perlow
The First Stage of ShadowHammer
2020-03-03PWC UKPWC UK
Cyber Threats 2019:A Year in Retrospect
KevDroid MESSAGETAP magecart AndroMut Cobalt Strike CobInt Crimson RAT DNSpionage Dridex Dtrack Emotet FlawedAmmyy FlawedGrace FriedEx Gandcrab Get2 GlobeImposter Grateful POS ISFB Kazuar LockerGoga Nokki QakBot Ramnit REvil Rifdoor RokRAT Ryuk shadowhammer ShadowPad Shifu Skipper StoneDrill Stuxnet TrickBot Winnti ZeroCleare APT41 MUSTANG PANDA Sea Turtle
2019-10-07ESET ResearchMarc-Etienne M.Léveillé, Mathieu Tartare
CONNECTING THE DOTS: Exposing the arsenal and methods of the Winnti Group
LOWKEY shadowhammer ShadowPad
Video: Operation ShadowHammer: Costin Raiu and Vitaly Kamlyuk at #TheSAS2019
2019-04-23Kaspersky LabsAMR, GReAT
Operation ShadowHammer: a high-profile supply chain attack
shadowhammer ShadowPad
2019-04-22Trend MicroMohamad Mokbel
C/C++ Runtime Library Code Tampering in Supply Chain
shadowhammer ShadowPad Winnti
2019-04-03One Night in NorfolkKevin Perlow
Possible ShadowHammer Targeting (Low Confidence)
2019-03-29F-SecureBert Steppe
A Hammer Lurking In The Shadows
2019-03-28F-SecureF-Secure Global
Analysis of ShadowHammer ASUS Attack First Stage Payload
2019-03-28Vitali Kremez BlogVitali Kremez
Let's Learn: Dissecting Operation ShadowHammer Shellcode Internals in crt_ExitProcess
2019-03-28Skylight CyberSkylight Cyber
Unleash The Hash - ShadowHammer MAC Address List
2019-03-27mauronz blogmauronz
Analysis of the ShadowHammer backdoor
2019-03-27ReversingLabsTomislav Pericin
Forging the ShadowHammer
2019-03-25Kaspersky LabsAMR, GReAT
Operation ShadowHammer
shadowhammer Operation ShadowHammer

Credits: MISP Project