Kaspersky ShadowHammer Check is a portable utility that was released to assist users that want to check if their machines have been compromised by Operation ShadowHammer.
ShadowHammer works by comparing MAC addresses for all adapters against a list of predefined values. These values have been hard-coded in the malware and will alert if a match is found.
This threat is a new advanced persistent threat (APT) campaign that is affecting millions of computer users worldwide. Operation ShadowHammer began around June and November 2018 targetting users of the ASUS Live Update Utility, injecting a backdoor. Each backdoor code contained a table of hard-coded MAC addresses â€“ the unique identifier of network adapters used to connect a computer to a network. Once it is running on a victimâ€™s device, the backdoor verified its MAC address against this table. If a MAC address match is made, the malware would then download the next stage of malicious code. Another thing that aids this malware is the fact that the infiltrated updater was not informed of any network activity. There has been a total of more than 600 MAC addresses hard-coded into the malware identified.
In this video, we look at the three methods to see if your affected and what to do about it:
To use Kaspersky ShadowHammer Check, download, extract the contents, and then run the EXE file. It promptly checks the known MAC addresses associated with Operation ShadowHammer and provides you with a notification on whether or not your machine is affected.