← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
Operation ShadowHammer
WHITE Barium AlienVault 2019-03-25 Modified: 2019-03-29
43
IOCs
MEDIUM VOLUME
In January 2019, Kaspersky GReAT discovered a sophisticated supply chain attack involving the ASUS Live Update Utility. The attack took place between June and November 2018 and according to their telemetry, it affected a large number of users. Attack linked to the Winnti umbrella group BARIUM. The attackers targeted a specific limited list of MAC address, to check an address visit http://shadowhammer.kaspersky.com/ - full list not available.
winntibariumsupply chainasus
Indicators of Compromise (43)
All URL domain FileHash-SHA256 FileHash-MD5 YARA hostname FileHash-SHA1
TYPEINDICATORDESCRIPTIONCREATED
URL http://asushotfix.com/ 2019-03-25
URL https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER362.zip 2019-03-25
URL https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER360.zip 2019-03-25
URL https://liveupdate01s.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER359.zip 2019-03-25
URL http://liveupdate01.asus.com/pub/ASUS/nb/Apps_for_Win8/LiveUpdate/Liveupdate_Test_VER365.zip 2019-03-25
domain asushotfix.com 2019-03-25
FileHash-SHA256 bebb16193e4b80f4bc053e4fa818aa4e2832885392469cd5b8ace5cec7e4ca19 2019-03-25
FileHash-MD5 aa15eb28292321b586c27d8401703494 2019-03-25
domain homeabcd.com 2019-03-25
domain simplexoj.com 2019-03-25
YARA fbb67ac5da3aa21be34647e063bccd278ec68a5b Detects a malicious file used by BARIUM group in Operation ShadowHammer 2019-03-25
FileHash-SHA256 a911bec0c307f542990016ed3cb15bae7a61d489278800f111794387f7995e2e 2019-03-26
FileHash-SHA256 1bb53937fa4cba70f61dc53f85e4e25551bc811bf9821fc47d25de1be9fd286a 2019-03-26
FileHash-SHA256 c299b6dd210ab5779f3abd9d10544f9cae31cd5c6afc92c0fc16c8f43def7596 2019-03-26
FileHash-SHA256 cfbec77180bd67cceb2e17e64f8a8beec5e8875f47c41936b67a60093e07fcfd 2019-03-26
FileHash-SHA256 9a72f971944fcb7a143017bc5c6c2db913bbb59f923110198ebd5a78809ea5fc 2019-03-26
FileHash-SHA256 6aedfef62e7a8ab7b8ab3ff57708a55afa1a2a6765f86d581bc99c738a68fc74 2019-03-26
FileHash-SHA256 bca9583263f92c55ba191140668d8299ef6b760a1e940bddb0a7580ce68fef82 2019-03-26
FileHash-SHA256 682fc8ccfc9316c54f02ae7865eee553ad0211031d4d80bb9c4365fbbc74049a 2019-03-27
FileHash-SHA256 9acd43af36f2d38077258cb2ace42d6737b43be499367e90037f4605318325f8 2019-03-27
FileHash-SHA256 6edc5578d824f42a6dd34664284179060f5595310fcb437a184f1ac0fc4fb1b4 2019-03-27
URL http://asushotfix.com/logo2.jpg 2019-03-28
hostname www.asushotfix.com 2019-03-28
URL https://asushotfix.com/logo.jpg 2019-03-28
FileHash-MD5 05e6a0be5ac359c7ff11f4b467ab20fc 2019-03-28
FileHash-MD5 21abdcff8fb044fca4696646c51e02c5 2019-03-28
FileHash-MD5 12a7c3a7d0294bd089a88834cdea6b3b 2019-03-28
FileHash-MD5 0ff067d801f7daeeae842e9fe5f610ea 2019-03-28
FileHash-SHA1 cd79bdaab6b32e975df99804d19b4efc38abbc2e 2019-03-28
YARA 96b0977bbf1349ac16efbbc7dab42727df4900d5 2019-03-29
YARA 5b134470f93e10aec1ae64d46ba152b194894fbd 2019-03-29
FileHash-SHA1 2c591802d8741d6aef1a278b9aca06952f035b8f 2019-03-29
FileHash-SHA1 e01c1047001206c52c87b8197d772db2a1d3b7b4 2019-03-29
FileHash-SHA1 9f0dbf2ba3b237ff5fd4213b65795595c513e8fa 2019-03-29
FileHash-SHA1 4a8d9a9ca776aaaefd7f6b3ab385dbcfcbf2dfff 2019-03-29
FileHash-SHA1 8e0dfaf40174322396800516b282bf16f62267fa 2019-03-29
FileHash-SHA1 0595e34841bb3562d2c30a1b22ebf20d31c3be86 2019-03-29
FileHash-SHA1 c6bd8969513b2373eafec9995e31b242753119f2 2019-03-29
FileHash-SHA1 e793c89ecf7ee1207e79421e137280ae1b377171 2019-03-29
FileHash-SHA1 e005c58331eb7db04782fdf9089111979ce1406f 2019-03-29
FileHash-SHA1 b0416f8866954196175d7d9a93b9ab505e96712c 2019-03-29
FileHash-SHA1 df4df416c819feb06e4d206ea1ee4c8d07c694ad 2019-03-29
FileHash-SHA1 5039ff974a81caf331e24eea0f2b33579b00d854 2019-03-29
References (4)
↗ https://securelist.com/operation-shadowhammer/89992/ ↗ https://blog.reversinglabs.com/blog/forging-the-shadowhammer ↗ https://asec.ahnlab.com/1214 ↗ https://labsblog.f-secure.com/2019/03/29/a-hammer-lurking-in-the-shadows/