On the server, the researchers also found a PHP file that defines core variables and operations used, which specifies the time zone as being People's Republic of China (PRC). “The server implemented a series of checks to determine whether to proceed with standard operations or simply redirect to the legitimate Piriform website,” Cisco explains. Cisco also disclosed that the attackers “were specifically controlling which infected systems were actually delivered a stage 2 payload.” The security firm wouldn’t reveal the names of targeted organizations, but says that these were “select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US.” This clearly means that most of the CCleaner users weren’t of interest to the attackers.Īccording to Cisco Talos researchers, the list of domains the attackers were attempting to target includes the sites of high-profile technology companies such as Singtel, HTC, Samsung, Sony, Intel, Microsoft, Cisco, O2, Vodafone, Akamai, among others.
However, the logs only covered just over three days, and the actual number of machines that received the payload could be of hundreds, Avast says. While initially shouting out loud that the compromise was addressed before any harm was done to users, Avast on Wednesday confirmed that this was in fact a highly targeted attack and that a secondary payload was executed on some of the impacted systems.Īnalysis of the logs found on the C&C server revealed that 20 machines in a total of 8 organizations received the second-stage payload.
#CCLEANER MALWARE 5.35 CODE#
Within 72 hours, the command and control (C&C) server where the malicious code sent information was taken down and clean versions of CCleaner were being pushed to users.
The infected installers were discovered by Morphisec, which alerted Avast on September 12. The modified binaries were up for download between August 15 and September 12, and resulted in over 2 million users downloading a malicious verson. Hackers modified the 32-bit CCleaner v and CCleaner Cloud v releases to add backdoor code to them to collect user information. Revealed on Monday, the compromise supposedly happened in early July, before Avast completed the purchase of Piriform.
#CCLEANER MALWARE 5.35 SOFTWARE#
A recently disclosed breach at Avast-owned Piriform, makers of the popular software utility CCleaner, was a highly targeted attack performed by a sophisticated actor, Avast and Cisco security researchers have discovered.
0 kommentar(er)
