A sophisticated, planned supply chain attack has leveraged the ASUS Live Utility Update with a backdoor which is to be believed have impacted over a million users who have downloaded the ASUS Live Update Utility on their computers.
ASUS Live Update is an utility that is pre-installed on most ASUS computers and is used to automatically update certain components such as BIOS, UEFI, drivers and applications.
Based on shared statistics, over 57,000 Kaspersky users have downloaded and installed the backdoored version of ASUS Live Update at some point in time. There were multiple versions of infected ASUS Live Update binaries distributed with every one of them targeting “unknown pool of users, which were identified by their network adapters’ MAC addresses.”
The reason that they remained undetected for such a long time is that that the trojanized updaters were signed with legitimate certificates (eg: “ASUSTeK Computer Inc.”). The malicious updaters were hosted on the official liveupdate01s.asus[.]com and liveupdate01.asus[.]com ASUS update servers.
Victim distribution by country for the compromised ASUS Live Updater is as follow.
Infection of backdoor Trojan.
Indicators of Compromise
|IP(s) / Hostname(s)||141.105.71[.]116|
|Malware Hash (MD5/SHA1/SH256)||aa15eb28292321b586c27d8401703494 |
KasperSky lab has created a tool which can check that if your computer has been the selected target of this attack.
Link to the tool.