The security firm fanlights free the list of 583 mack addresses out of the entire 619 targeted by the attackers.
The researchers disassembled Kasper sky’s diagnostic tool to induce the total list of addresses.
In a recent attack campaign, attackers distributed a backdoor impotency version of ASUS Live Update utility to focus on ASUS portable computer users.
It was Kaspersky Lab’s world analysis and Analysis Team (GReAT) United Nations agency 1st detected the attack campaign in Gregorian calendar month 2019, with over fifty-seven,000 Kasper sky users stricken by it. The Russian security firm dubbed this offer chain attack campaign as Operation Shadow Hammer.
According to some estimates, the campaign has over one million users United Nations agency downloaded the backdoored version of the ASUS Live Update package. The identity and therefore the motives of the attacker’s square measure are still unknown.
Target users detected via mack addresses
Kaspersky researchers noted that there have been multiple versions of the infected ASUS Live Update binaries that were geared toward specific users. The targets were detected and supported a hardcoded list of mack addresses outlined within the backdoored samples. The malicious code ran for those users whose network adapter’s mac address was found within the list.
Kaspersky researchers had reportedly found around 600 mack addresses from over two hundred backdoored samples utilized in the campaign. Kaspersky free a separate tool and an internet page wherever users may check if their mack address was a part of the target list.
List of compact mack addresses
To make it easier for enterprises to go looking through the target list, Australian security firm Skylight’s CTO Shahar Zini shared the total list of nearly 583 mack addresses out of the 619 targeted within the ASUS breach.
“If data concerning targets exist, it ought to be created in a public access to shieldion} community thus we will protect ourselves,” window declared, in an exceedingly journal post saying the discharge of the list.
With this list being created public, security professionals from numerous enterprises will bulk compare the affected addresses with their enterprise devices to visualize for any exposure.
How were the raincoat addresses found?
Skylight researchers went through a long method to extract the list from the offline tool discharged by Kasper sky. Firstly, the researchers disassembled the tool mistreatment International Development Association, following that they found the list of raincoat addresses however in AN encrypted type. The list was protected employing a preserved hash rule.
To crack the encoding with brute force, the researchers used a robust AWS instance running a changed version of the Hash Cat secret cracking tool to brute force 583 raincoat addresses among AN hours.
“Enter Amazon’s AWS p3.16xlarge instance. These beasts carry eight (you browse correctly) of NVIDIA’s V100 Tesla 16GB GPUs. The whole set of 1300 prefixes was brute-forced in but AN hour,” the researchers wrote, describing the method.
What actions were taken by ASUS?
Before the speech act of the attack campaign, Kasper sky enlightened ASUS concerning it on Gregorian calendar month thirty-one, 2019. ASUS recently discharged a replacement update for the Live Update tool. Additionally, more new security verification mechanisms to stop any more attacks.
The company additionally admitted that AN unknown cluster of hackers gained access to its servers between June 2018 to November 2018.
All ASUS users are unit 1st suggested visualizing if they’re stricken by the backdoored version of the code. The corporation discharged a diagnostic tool to visualize the infection. For users whose raincoat addresses area unit gifts within the target list, ASUS recommends playing a plant reset to urge eliminate the backdoor and wipe the system clean.