When security researchers at Kaspersky Lab disclosed Operation ShadowHammer in March, they described how attackers tampered with software updates from PC-maker ASUSTeK Computer to install malware on victims’ computers. Now, new details revealed last week indicate the operation was even more insidious—it sabotaged developer tools, an approach that could spread malware much faster and more discreetly than conventional methods.
In ShadowHammer, a sophisticated group of attackers modified an old version of the ASUS Live Update Utility software and pushed out the tampered copy to ASUS computers around the world, said Kaspersky Lab. The Live Update Utility, which comes preinstalled in most new ASUS computers, automatically updates the set of firmware instructions that control the computer’s input and output operations, hardware drivers, and applications. The modified tool, signed with legitimate ASUSTeK certificates and stored on official servers, looked like the real thing. But once it was planted, it gave the attackers the ability to control the computer through a remote server and install additional malware.
ShadowHammer is an “example of how sophisticated and dangerous a smart supply chain attack can be,” said Vitaly Kamluk, Kaspersky’s director of the global research and analysis team.
ASUSTeK wasn’t ShadowHammer’s only victim. Attackers also targeted at least three gaming companies based in Asia through a similar method, Kaspersky researchers found. Instead of subverting software updates, though, the attackers made a one-line change to their targets’ integrated development environment (IDE), a software program that developers use to write code. The effect was that whenever Microsoft Visual Studio compiled code with a specific Microsoft-owned library, the IDE used a similarly named library file instead.
Compilers and development platforms are at the core of the software supply chain, said Noushin Shabab, the Kaspersky senior security analyst who reverse-engineered the ShadowHammer malware. One infected compiler on a few developers’ machines can result in thousands of Trojanized software applications installed on millions of end-user computers.
“It’s a poisonous seed. Plant your poisonous seed in a safe place, and it will turn into the poisonous tree with fruit,” Shabab said.
Since the compiler pulls in relevant pieces of code from linked libraries and other components, using the tampered library meant code the developer did not intend to include was added to the application. A source code review won’t find the issue because the problem isn’t anywhere in the original code and the developer doesn’t know about the alternate library.
“When your compiler lies to you, your product always contains a backdoor, no matter what the source code is,” Kamluk said.
Kaspersky researchers found clues suggesting a group called Barium was behind both sets of attacks. Barium is known for a style of attack called “advanced persistent threat” which infects a computer or network and then lays undetected for a period of time. The group was previously linked to 2017’s ShadowPad attack, which compromised an update feature in server management software provided by the Korean firm NetSarang to install a backdoor on associated machines. One of the affected gaming companies in the ShadowHammer attack used NetSarang’s Windows X-server management software, Kamluk said.
Barium is also linked to the CCleaner attack, where hackers modified software updates for the legitimate computer cleanup tool to include the ShadowPad backdoor. With ShadowHammer, Kaspersky researchers believe attackers initially gained access to ASUS servers with CCleaner.
Software updates have been used in other attacks. In 2017’s NotPetya outbreak, the ransomware initially infected machines by masquerading as a software update for an accounting software widely used in Ukraine.
This latest attack echoes 2015’s XcodeGhost, when thousands of iOS apps created with a tampered version of Apple’s Xcode development environment was found to contain malicious code. Those apps—for instant messaging, banking, maps, stock trading, and games—could be remotely controlled from a command-and-control server. They could also collect device information, and read and write from the iOS clipboard.
This kind of compiler manipulation is not yet widespread because it requires deep knowledge of the tools that developers use, as well as the applications used by victims, Shabab said. However, the ShadowHammer case makes it clear that developers can’t assume their development environments are safe, and have to figure out how to regularly audit their own tools. With ShadowHammer, checking the libraries that a program pulls from would have revealed the malicious file, which was signed with an invalid certificate.
“We see this as the future, where the new targets are the software developers,” Kamluk said.