Periodically, a large scale cybersecurity issue requires “all hands on deck” from the Ӱɴý Team (see ,,). The unfolding fiasco also happens to be one of those moments. We’ve created this blog is to provide simple answers to a complex supply chain attack affecting global IT Departments.
The hardware manufacturer ASUS included an application on all of their Windows devices called Live Update. , Hackers compromised ASUS’ automatic updating infrastructure and pushed backdoored updates via the Live Update software. Kaspersky Lab suggests that over a million hosts may have run a backdoored update.
The purpose of the backdoored update was to validate whether the affected computer was a target of interest. If the computer was of interest,. If it was not of interest, no additional payloads were installed. It’s estimated approximately 600 computers were targeted. Considering this very selective attack, your ASUS computers likely were not infected. On March 26th, that all ASUS computers/laptops running Live Update should be updated to version 3.6.8 “to resolve security concerns”.
To give our partner’s peace of mind, the Ӱɴý Development Team created custom tools to discover any computer, laptop, or server running Live Update below version 3.6.8 (huge thanks to for being our guinea pig!)
The ThreatOps Team has reported all hosts running an outdated Live Update application and we’ll continue to monitor the situation for any updates or new agents that come online.
All backdoored updates for Live Update included a modified version of Setup.exe. Within this application, the attackers added an obfuscated shellcode payload (this is what was looking for the targeted MAC addresses).
If your computer was not targeted, the shellcode will create a file called idx.ini similar to the following example:
As a result of this discovery, you can search your file system for the idx.ini file to determine if a backdoored update was run on your host!
’s blog dives into the technical implementation of this much deeper and to a directory up to two levels higher than where Setup.exe was executed.
Only 600 hosts were targeted with the second stage malware which means you and your clients likely didn’t receive the attention of a nation-state adversary 🕵️ (sorry to disappoint). However, we totally understand the difference between assuming and knowing you weren’t targeted.
For those looking to verify if their computer was on the hit list, check out the security diagnostic tools release by Ի. These applications will gather host details like the MAC address and cross reference your data against list of targeted MAC addresses.
Hesitant to run the software? and released that were targeted which you can check against. A which allows you to manually submit your ASUS computer’s MAC address.
If a diagnostic tool indicated you’re targeted, we’re here to help! Contact us at support[at]huntress.io and we’ll have someone quickly reach out to you.
With that said, it should be noted that one of the targeted MAC addresses belonged to a generic VMware interface:
In this case, the backdoored update actually checked for the presence of two MAC addresses. As long as your other NIC did not have MAC address 70:77:81:C0:FD:49, you’re likely in the clear.
According to on March 26th, 2019, Live Update version 3.6.8 was released. ASUS specifically highlighted this new version:
…introduced multiple security verification mechanisms to prevent any malicious manipulation in the form of software updates or other means, and implemented an enhanced end-to-end encryption mechanism.
The US Cybersecurity and Infrastructure Security Agency (CISA) about Live Update version 3.6.8 stating:
This version addresses vulnerabilities that a remote attacker could exploit to take control of an affected system. These vulnerabilities were detected in exploits in the wild.
For IT Departments or Managed Service Providers looking to upgrade Live Update to version 3.6.8, please follow .
While working with our partners, we observed some issues with Live Update checking for updates:
As demonstrated above, at least some hosts running Live Update below version 3.6.8 are not receiving the new update. ASUS noted this could happen in their support documentation. Unfortunately, we have not found a manual installer for version 3.6.8.
It’s very likely this issue will garner media attention as details continue to unfold. IT departments and Managed Service Providers should leverage this opportunity to demonstrate their ability to address breaking cybersecurity incidents.
We’re currently creating some resources to help you articulate what was done to ensure your company’s and client’s security. Stay tuned!
This situation is still unfolding. Check the section frequently for updates!
On March 25th, 2019, journalist dropped an detailing the supply chain attack against ASUS’ Live Update. Shortly after, with a handful of indicators of compromise (IOC) which included four malicious .ZIP files:
These .ZIP archives contained a setup .EXE and two .MSI files. The MSI files also extracted over a dozen applications and configuration files for Live Update. This made determining the backdoor less trivial.
Researchers on Twitter also pointed out that Setup.exe was specifically backdoored to decrypt and run the attackers payload.
Using these details, the Ӱɴý ThreatOps team gathered known malware samples and started the analysis process to understand which parts of Live Update was actually compromised.
Get insider access to Ӱɴý tradecraft, killer events, and the freshest blog updates.
