In the first known versions, the embedded executable in the Setup.exe resource section has been partially overwritten by another smaller executable that contains the shellcode. We will also cover some findings about the MAC addresses. In this post we will focus more on the differences between the variants we have discovered, and how the payload evolved over time.
More researchers jumped on this threat and wrote their own analysis as well, such as here and here. If you’re more interested in the technical details, our colleagues at Countercept have made an excellent write-up here. (Added in July 2018 – more details below)
#Check asus mac address shadow update#
If no match, create or update a file “idx.ini”.However, these URLs are not accessible anymore. This is meant to be a second-stage x86 shellcode since it will try to execute it within its own process. If there is a match, it downloads hxxps:///logo.jpg or hxxps:///logo2.jpg, depending on the payload variant.The payload enumerates the MAC addresses on the victim’s system, creates MD5 hashes of them and searches these hashes in a large array of hardcoded values.
The program logic has been modified in such a way that instead of installing a software update, it executes a payload implemented as a shellcode.An executable embedded in the Resources section has been overwritten by the first-stage payload.In short, this is how the trojanized Setup.exe works: And then there was ShadowHammer, the supply chain attack on the ASUS Live Update Utility between June and November 2018, which was discovered by Kaspersky earlier this year, and made public a few days ago.