ShadowHammer: New details (UPDATE)

April 29, 2019

Latest development

As we discussed previously in one of the topic dealing with the emergence of ShadowHammer, this will be the latest update although, investigation is on-going and pretty sure there are more to come in the latter progress report. As we all know by this time similar algorithm was employed for the attack particularly three other Asian vendors. Specimen were tampered a ‘digitally signed’ binaries from Innovative Extremist, Electronic Extreme and Zepetto, as we are all aware any or single bit of tampering with executables breaks the digital signature. Yet, in this incident, the digital signature was intact: valid and verifiable based on the researchers discoveries. Threat actor may have been on the vendors network gaining access to its source code or during project compilation and effectively injected trojan. Recent findings also note additional victims has been identified all situated in South Korea, they are being notified about the attack and information will be relayed as investigation progressed.

Attacked plan

Threat actors are precisely aiming at unknown pool of users, via harvested hardware MAC address, to achieve this actors had hardcoded a list of MAC address into trojanized samples and the list was used to identify the intended targets of this massive operation. Investigators were able to extract 200 out of 600 unique MAC addresses which they also believed other samples would have been on their list for possible future attacks, it is also huge question why the attackers placed limit on the attack to 600+ victims.

How not to be the next victim of customized supply chain attack

This has confirmed that even digital signature are no longer spared and what we thought in the past are all wrong, but this time we should learnt from other mistakes and should instead make our system more secure and by investigating all sorts of anomalous behaviour, even by trusted and signed applications. Organizations should have their protocol change and instead act as delusional as if trouble may occur anytime and anyway possible. We also should employ the best anti-trojan detection system and Cybercrime solution for best countermeasure as the old saying goes an ounce of prevention is worth a pound of cure.


About the author

Leave a Reply