In this article, we share a surprising discovery we found when studying the ASUS Live Update attack that occurred during March of 2019. Our research shows the possible presence of another malicious operation that seemingly targeted the financial sector. Below are our key takeaways.<\/p>\n
\n
Four distinct valid certificates were utilized in this operation, which indicates certificates cannot be 100% trusted.<\/li>\n
Despite the certificate owner not being the same as the program’s developer, no warning was triggered since the certificate was valid.<\/li>\n
The discovered malware employed sophisticated techniques:<\/li>\n
Modified a normal Portable Executable (PE) file and replaced a function in commonly used CRT library to avoid detection.<\/li>\n
Huge amounts of junk instructions\/functions were inserted to obfuscate instructions and control flow.<\/li>\n
Used “busy loop” to compute the decryption key, which is used to decrypt the next stage payload.<\/li>\n
In-memory process hollowing was used to obstruct cyber forensic analysis.<\/li>\n
Payload was multi-layered encoded, preventing final motive to be discovered.<\/li>\n
Several social engineering tricks were conducted to confuse victims. Specifically, various phishing websites were used, where the financial sector seemed to be the main target.<\/li>\n
Made a social engineering trick as a pcisecuritysstandrads[.]org to deceive financial sector victims.<\/li>\n
Fake Adobe Download Manager with legitimate digital signature are used to pretend as a legal program.<\/li>\n<\/ul>\n
Surprising Discovery from ASUS LIVE UPDATE Malware Hunting<\/h2>\n
This financial sector attack was inadvertently discovered during our investigation of Operation ShadowHammer[1], which was an advanced persistent threat (APT) targeting certain ASUS users. Compromising the update mechanism of the ASUS Live Update platform, the legitimate certificate and the trusted dispatch channel made it easy for the attacker to mask their malicious activities. While Operation ShadowHammer highlighted the severity of a supply chain attack, our research team dug deeper to see if there was any other malware utilizing the fake ASUS Live Update service.<\/p>\n
Our research involved developing several Yara rules and malware hunting techniques on VirusTotal. For instance, the ShadowHammerDropper rule, which is demonstrated in Fig. 1, detected the string “ASUS Live Update” and the resource name “EXE”. Another rule, ShadowHammer<\/em>Signed determined if ASUS certificates were used. We also implemented several rules for detecting ShadowHammer’s malware. Results revealed the detection of several malware samples, including ones unrelated to ShadowHammer. Among these unrelated samples, we were particularly interested in the following three malware. Since these malware had valid certificates, they would not be flagged by most anti-virus software.<\/p>\n