Asus infects millions of laptops in a poisoned update

Asus computer owners may need to run a malware scan today after researchers revealed that the company’s official Asus Live Update Utility software was compromised by attackers and distributed through its official website. 

The trojanized Asus utility was discovered by researchers at Russian security firm Kaspersky, which reported on Monday that 57,000 of its own users had installed the bad program. The company estimates that around one million Asus owners are affected. 

Asus, also known as ASUSTEK, is a household name that makes a range of Windows PCs and Google Chromebooks. 

Curiously for a non-targeted attack on Windows PC users, the malicious utility was only designed to infect 600 computers that use specific unique network MAC addresses. 

The targeted MAC addresses were hardcoded into over 200 different versions of the compromised utility, according to Kaspersky Lab. 

The company notes that three other vendors’ software was compromised using the same technique. 

The style of intrusion — known as a ‘supply chain attack’ — is similar to an incident over a year ago that relied on a trojanized version of Avast’s CCleaner to target employees of HTC, Samsung, Sony, VMware, Microsoft, Cisco, Lynksys, Epson, Singtel and O2. That attack was believed to have been an effort to steal intellectual property.   

The malware managed to fly under the radar from antivirus products for ages because it was signed with legitimate digital certificates that used names like “ASUSTeK Computer Inc”. Also, the malicious updaters were hosted on Asus’ actual servers. 

As far as tactics go, using legitimately signed digital certificates is popular and unoriginal, yet effective. 

The ransomware that took down Norwegian aluminum manufacturer Norsk Hydro’s global computer network last week also relied on legitimate digital certificates to sign the malware so that it looks less suspicious to antivirus products.     

The attack on Asus users bears some resemblance to a 2017 attack aimed at users of products from NetSarang, a software firm with headquarters in the US and South Korea. 

Kaspersky Lab could not precisely attribute the attack an actor, but noted some common elements with a state-sponsored group that Microsoft calls “Barium”, which is linked to the Wunnit malware that us thought to have been developed by Chinese-speaking hackers. 

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Follow our new CSO Australia LinkedIn
Follow our new social and we'll keep you in the loop for exclusive events and all things security!
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

Tags MicrosoftWindowskasperskyWindows 10

More about AvastCiscoEpsonGoogleHTCKasperskyKaspersky LabMicrosoftO2SamsungSingtelSonyVMware

Show Comments

Featured Whitepapers

Editor's Recommendations

Brand Page

Stories by Liam Tung

Latest Videos

More videos

Blog Posts