![]() The new CorExitFunction uses VirtualAlloc from the module’s IAT by accessing it with an exact offset starting from the Module Handle (virtual address). In this campaign, the hackers added an additional encrypted stage of shellcode which resides in the resource section. Replacing the Exit function causes some EDR solutions to fail in detection while looking the validity and integrity of the current running processes it appears that the hacker group learned from its previous mistakes. While in the CCleaner case the TLS initialization function was modified, in this case the crtExitProcess has been modified. Similar to CCleaner, the compile machine was compromised and the CRT runtime modified. Targeted MAC AddressesĪccording to the 360 Intelligence Center the MAC address distribution is as follows: This indicates that the attack actors had already performed significant reconnaissance work (as in the CCleaner case). As Morphisec Labs conducted its own research into the ASUS attack, we identified several correlations to the CCleaner campaign, as evidenced in the below Technical Analysis.īased on our research, the malicious code implements a decryption method previously used as part of a PlugX targeted malware variant, and the MAC validation method is highly tailored for a set of very specific combination of MAC addresses on the same computer. The ASUS attack brings to mind the massive CCleaner supply chain attack uncovered by Morphisec in 2017. The malware included a hardcoded list of MAC addresses – about 600 unique addresses were found in the samples analyzed by Kaspersky – only those on the list would connect to the C2 server for the follow-on payloads. ![]() Interestingly, although approximately 57,000 Kaspersky customers installed the trojanized Live Update, the attackers appear to be targeting a much smaller subset. Because the malicious file was signed with legitimate ASUS digital certificates, security tools allowed the malware through. It is estimated that at least half a million people installed the backdoored version of ASUS Live Update after an ASUS server that delivers the tool was compromised. Dubbed ShadowHammer by Kaspersky, the attack leveraged a malicious version of ASUS Live Update, a utility that automatically updates system components such as BIOS, UEFI, drivers and applications.The malicious version included a backdoor trojan that reaches out to a C2 server to download additional payloads. ![]() This week, Kaspersky Lab reported initial details of a new supply chain attack on systems by computer giant ASUS.
0 Comments
Leave a Reply. |