Zero-day vulnerability in ASUS Live Update

Hidden functionality (backdoor)

An APT campaign was launched against ASUS between June and November 2018. The attacker compromised ASA Live Update servers and distributed malware to cca. 1 million computers worldwide. 

The attack was attributed to APT17 adversary, also known as Deputy Dog.

Vulnerability details

Advisory: SB2019032602 - Backdoor in Asus Live Update

Vulnerable component: ASUS Live Update


CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-912 - Hidden Functionality (Backdoor)


The vulnerability allows a remote attacker to compromise vulnerable system

The vulnerability exists due to hidden functionality (backdoor) is present in software. A remote attacker can use this functionality to gain full access to the application and compromise the affected system.

Note: this backdoor was implented as a result of ASUS servers compromise within the APT attack dubbed “Operation ShadowHammer”. The campaign ran from June to at least November 2018.

Known APT campaigns:

Operation ShadowHammer

The operation was aimed at ASUSTeK Computer Inc. company, one of the biggest hardware manufacturers in the world. The attackers were able to compromise Asus Live Update servers and infect cca. 1 million computers worldwide.

The trojanized version of the tool was distributed with a valid digital certificated signed by Asus. The goal of the attack was to surgically target an unknown pool of users, which were identified by their network adapters’ MAC addresses. To achieve this, the attackers had hardcoded a list of MAC addresses in the trojanized samples and this list was used to identify the actual intended targets of this massive operation.

The China-based adversary APT17 is blamed for this activity.