• The security firm Skylight released the list of 583 MAC addresses out of the total 619 targeted by the attackers.
• The researchers disassembled Kaspersky’s diagnostic tool to get the full list of addresses.

In a recent attack campaign, attackers distributed a backdoored version of ASUS Live Update utility to target ASUS laptop users.

It was Kaspersky Lab’s Global Research and Analysis Team (GReAT) who first detected the attack campaign in January 2019, with over 57,000 Kaspersky users affected by it. The Russian security firm dubbed this supply chain attack campaign as Operation ShadowHammer.

According to some estimates, the campaign has impacted over 1 million users who downloaded the backdoored version of ASUS Live Update software. The identity and the motives of the attackers are still unknown.

Target users detected via MAC addresses

Kaspersky researchers noted that there were multiple versions of the infected ASUS Live Update binaries which were aimed at specific users. The targets were detected based on a hardcoded list of MAC addresses defined in the backdoored samples. The malicious code ran for those users whose network adapter’s MAC address was found in the list.

Kaspersky researchers had reportedly found around 600 MAC addresses from over 200 backdoored samples used in the campaign. Kaspersky released a separate tool and a web page where users could check if their MAC address was part of the target list.

List of impacted MAC addresses

To make it easier for enterprises to search through the target list, Australian security firm Skylight’s CTO Shahar Zini shared the full list of nearly 583 MAC addresses out of the 619 targeted in the ASUS breach.

“If information regarding targets exists, it should be made publicly available to the security community so we can better protect ourselves,” Skylight stated, in a blog post announcing the release of the list.

With this list being made public, security professionals from various enterprises can bulk compare the affected addresses with their enterprise devices to check for any exposure.

How were the MAC addresses found?

Skylight researchers went through a lengthy process to extract the list from the offline tool released by Kaspersky. Firstly, the researchers disassembled the tool using IDA, following which they found the list of MAC addresses but in an encrypted form. The list was protected using a salted hash algorithm.

To crack the encryption with brute force, the researchers used a powerful AWS instance running a modified version of HashCat password cracking tool to brute force 583 MAC addresses within an hour.

“Enter Amazon’s AWS p3.16xlarge instance. These beasts carry eight (you read correctly) of NVIDIA’s V100 Tesla 16GB GPUs. The entire set of 1300 prefixes was brute-forced in less than an hour,” the researchers wrote, describing the process.

What actions were taken by ASUS?

Before the disclosure of the attack campaign, Kaspersky informed ASUS about it on January 31, 2019. ASUS recently released a new update for the Live Update tool. It also added new security verification mechanisms to prevent any further attacks.

The company also admitted that an unknown group of hackers gained access to its servers between June 2018 to November 2018.

All ASUS users are first advised to check if they are affected by the backdoored version of the software. The company released a diagnostic tool to check for the infection. For users whose MAC addresses are present in the target list, ASUS recommends performing a factory reset to get rid of the backdoor and wipe the system clean.