<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1076912843267184&amp;ev=PageView&amp;noscript=1">
RL Blog

Forging the ShadowHammer

Tomislav Peričin
Blog Author

Tomislav Peričin, Chief Software Architect & Co-Founder at ReversingLabs. Read More...


Operation ShadowHammer is a new and highly targeted supply chain attack discovered by Kaspersky Lab. The attack leveraged ASUS Live Update software to distribute malicious code. Live Update is a utility which commonly comes pre-installed on most ASUS computers and is used to update system drivers and BIOS/UEFI code.

As the details of this supply chain attack are still unfolding our ReversingLabs researchers looked into what is currently publicly available. Using our Titanium Platform we’ve been able to make a few connections which lead us to, what we believe is, the first iteration of this malware code.

We started from the infected installation package that was published by Kaspersky Lab. Its content is the main installation file called Setup.exe and two additional MSI installation packages that contain all the software components that get installed on the system.

Forging the ShadowHammer Infected ASUS installation package - courtesy of Kaspersky Labs

The main executable file, Setup.exe, carries the malicious payload. Because of this, we decided to take a look at how we could pivot around Setup.exe and find additional samples to analyze. Using our RHA1 functional similarity algorithm we’ve been able to do just that and find 10 additional samples worth taking a closer look at.

Forging the ShadowHammer
Pivoting to find similar files via ReversingLabs RHA1 functional similarity algorithm

From this point, the investigation is carried forward by TitaniumCore, our advanced file decomposition engine. TitaniumCore has been able to extract embedded resources from all of the RHA1 detected installation packages. The installation packages which have 58 extracted files are particularly interesting as they contain one variant of the ShadowHammer attack.

Forging the ShadowHammer

Extracted resources via ReversingLabs TitaniumCore static unpacking engine

This extracted executable is a Visual Studio C++ application that has been compiled with debug symbol information enabled. These symbols unveil a bit more about the attacker and the attack timeline.

Forging the ShadowHammerPDB debugging information found within the extracted executable file

Based on the specifics of the file path, we were able to conclude that this is the original code the adversaries developed specifically to carry out this attack. Since PDB paths are indexed by our advanced search capabilities, finding all the other samples that share this path, requires only a simple one keyword search.

Forging the ShadowHammer
Pivoting to other versions of the same malware via ReversingLabs Advanced Search

Within this batch of samples, we looked at the oldest one, which has the following debugging information.

Forging the ShadowHammerPDB debugging information found within the extracted executable file


The timestamp information within aligns perfectly with the attack timeline described by Kaspersky Lab.

The details of the attack are still being investigated by our own team and the teams of security researchers around the world. Our hope is that this short threat hunting blog will help those looking for more details as they put the pieces of this puzzle back together.


Keep learning

Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.

More Blog Posts