An attack on the update system for ASUS personal computers running Microsoft Windows allowed attackers to inject backdoor malware into thousands of computers, according to researchers at Kaspersky Labs. The attack, reported today on Motherboard by Kim Zetter, took place last year and dropped malicious software signed with ASUS’ own digital certificate—making the software look like a legitimate update. Kaspersky analysts told Zetter that the backdoor malware was pushed to ASUS customers for at least five months before it was discovered and shut down.
The traces of the attack were discovered by Kaspersky in January 2019, but it actually occurred between June and November 2018. Called “ShadowHammer” by Kaspersky, the attack targeted specific systems based on a range of MAC addresses. That target group, however, was substantial. According to a blog post by a Kaspersky spokesperson:
Over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time… We are not able to calculate the total count of affected users based only on our data; however, we estimate that the real scale of the problem is much bigger and is possibly affecting over a million users worldwide.
Nearly half of the affected systems detected by Kaspersky were computers in Russia, Germany, and France—though this number may be more representative of where Kaspersky users with ASUS computers were rather than the actual geographic distribution. The domain associated with the attack, asushotfix.com, was hosted on a server with an IP address in Russia.