Asus infects millions of laptops in a poisoned update

Asus computer owners may need to run a malware scan today after researchers revealed that the company’s official Asus Live Update Utility software was compromised by attackers and distributed through its official website. 

The trojanized Asus utility was discovered by researchers at Russian security firm Kaspersky, which reported on Monday that 57,000 of its own users had installed the bad program. The company estimates that around one million Asus owners are affected. 

Asus, also known as ASUSTEK, is a household name that makes a range of Windows PCs and Google Chromebooks. 

Curiously for a non-targeted attack on Windows PC users, the malicious utility was only designed to infect 600 computers that use specific unique network MAC addresses. 

The targeted MAC addresses were hardcoded into over 200 different versions of the compromised utility, according to Kaspersky Lab. 

The company notes that three other vendors’ software was compromised using the same technique. 

The style of intrusion — known as a ‘supply chain attack’ — is similar to an incident over a year ago that relied on a trojanized version of Avast’s CCleaner to target employees of HTC, Samsung, Sony, VMware, Microsoft, Cisco, Lynksys, Epson, Singtel and O2. That attack was believed to have been an effort to steal intellectual property.   

The malware managed to fly under the radar from antivirus products for ages because it was signed with legitimate digital certificates that used names like “ASUSTeK Computer Inc”. Also, the malicious updaters were hosted on Asus’ actual servers. 

As far as tactics go, using legitimately signed digital certificates is popular and unoriginal, yet effective. 

The ransomware that took down Norwegian aluminum manufacturer Norsk Hydro’s global computer network last week also relied on legitimate digital certificates to sign the malware so that it looks less suspicious to antivirus products.     

The attack on Asus users bears some resemblance to a 2017 attack aimed at users of products from NetSarang, a software firm with headquarters in the US and South Korea. 

Kaspersky Lab could not precisely attribute the attack an actor, but noted some common elements with a state-sponsored group that Microsoft calls “Barium”, which is linked to the Wunnit malware that us thought to have been developed by Chinese-speaking hackers.