5/6/2023 0 Comments Ccleaner malware infected![]() Here is the list of tech targets that researchers at Cisco Talos know about. ![]() List of technology companies targeted by CCleaner malware They were able to analyze delivery code from a server and found that although 2.27 million computers were infected, the 2nd stage payload was only being delivered to a small subset of computers at high-profile technology companies. That seems to be the question of the day.Įspecially when you see the list, which Cisco Talos researchers posted on the company's Threat Intelligence Blog. We continue investigating the data dumps from the computers, and will post an update as soon as we learn more,” the company said.Who inserted malware into CCleaner, the software for optimizing PCs, with the express purpose of gaining access to companies like Intel, Sony, Samsung, and Cisco? “We don’t have a sample of the third stage payload distributed via the CCleaner hack to any of these computers, and it is not clear if it was the attacker’s intention to attack all 40 of them just a few or none. The researchers said that the modular platform could download and execute arbitrary code, create processes, and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim. ShadowPad was first discovered in August after researchers at Kaspersky Lab found a backdoor in NetSarang’s server management software package. Besides the keylogger tool, other tools were installed on the four computers, including a password stealer, and tools providing capacities to install further software and plugins on the targeted computer remotely.” “By installing a tool like ShadowPad, the cybercriminals were able to fully control the system remotely and collect all the credentials and insights into the operations on the targeted computer. “The version of the ShadowPad tool is custom-built, leading us to the assumption that it was explicitly built for Piriform,” said the company. Hron said that the tool was installed on the four Piriform computers on April 13th, 2017 after Avast found log files of ShadowPad which were encrypted keystrokes from a keylogger installed on the computers. ShadowPad is a cyber attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and data exfiltration. “It turned out we found an older version of stage two inside the network itself trying to download a tool called ShadowPad,” Martin Hron, security researcher at Avast, told Threatpost during SAS. Then, on four computers on the Piriform network, the company found evidence of a specialized multi-purpose and modular malware framework called ShadowPad being installed. ![]() While eliminating the threat from the Piriform network, Avast started consolidating and inspecting the Piriform infrastructure and computers, and found the preliminary versions of the stage one and stage two binary on them. ![]() “However, we now have found evidence that leads us to the assumption of what the intended third stage might have been.” “Up until now, we have not found any third stage binary on the affected computers,” the company said. ![]() The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT 'umbrella'. In September, Avast and Kaspersky Lab’s Costin Raiu said that they believed Chinese cyber espionage group Axiom was behind the attack. In addition to data collection, Avast said that the malware also had downloader capabilities which were active on 40 PCs. CANCUN, Mexico – As investigations continue into a backdoor that was planted in the CCleaner utility in 2017, Avast said it has found that the threat actors behind the attack were planning to install a third round of ShadowPad malware on compromised computers.Īvast, which acquired the maker of CCleaner Piriform in July, said that it has been continually investigating the malware attack on the popular PC cleaning tool CCleaner (formerly Crap Cleaner) since it was first revealed in September 2017. While the company has not found evidence of a third stage binary on infected computers, it has found evidence of “what the intended third stage might have been,” according to Avast speaking at Kaspersky Lab’s Security Analyst Summit last week.Īccording to Avast, it has found that the malware in question spread to Piriform’s build server sometime between March and July 4, 2017.Īvast in September brought the issue to light, saying that the 32-bit versions of CCleaner V and CCleaner Cloud V – which had been installed on up to 2.27 million computers – had been infected by malware collecting data such as computer names and lists of installed software and running processes. ![]()
0 Comments
Leave a Reply. |