![]() Payload stored information in the Windows registry key The code executed within the thread was obfuscated to make its analysis harder. After this is through, normal execution of CRT code and the CCleaner is continued, which means the thread with the payload is run in the background. The DLL was subsequently loaded and executed in an independent thread. The result of this was a DLL(dynamic link library) with a missing MZ header. The modified code performed actions before the application’s code ran, it decrypted and unpacked hard-coded shellcode(a simple XOR-based cipher was used). The first part of the malware’s payload was hidden in the application’s initialization code called CRT(Common Runtime). The company estimates that the compromised download “may have been used by up to 3% of our users”(Piriform), which would equate to around 3.9 Million users. The collected data is then sent back to a C2(Command and Control) server, that attackers have control of. The malware has the ability to and has been seen collecting information from infected users systems such as the name of the computer, IP address, list of installed software, list of running processes, list of network adapters, and MAC addresses of network adapters. The executable was signed by a valid digital signature issued to Piriform by Symantec and is valid until 2018. When the 32-bit CCleaner v was downloaded it contained a malicious payload, that included a two-stage backdoor. Attackers were able to modify the CCleaner.exe binary that users were installing from the company Piriform, which was just acquired by Avast on July 18, 2017, a company that provides Antivirus services. In that case, as in the CCleaner attack, victims installed seemingly legitimate software from a small but trusted company, only to find that it had been silently corrupted, deeply infecting their IT systems.What has been affected? CCleaner v | CCleaner Cloud v (32-bit version) | 1ĬCleaner is an application that allows users to clean temporary files, analyze systems in an effort to optimize performance, and to perform routine maintenance on a device. Two months earlier, hackers hijacked the update mechanism of the Ukrainian accounting software MeDoc to deliver a destructive piece of software known as NotPetya, causing massive damage to companies in Ukraine as well as in Europe and the United States. But it already represents another serious example in the string of software supply-chain attacks that have recently rocked the internet. The exact dimensions of the CCleaner attack will likely continue to be redrawn, as analysis continues. ![]() "If you didn’t restore your system from backup, you’re at high risk of not having cleaned this up," Williams says. Instead, the researchers recommend that anyone affected fully restore their machines from backup versions prior to the installation of Avast's tainted security program. On Wednesday, researchers at Cisco's Talos security division revealed that they've now analyzed the hackers' "command-and-control" server to which those malicious versions of CCleaner connected.įor any company that may have had computers running the corrupted version of CCleaner on their network, Cisco warns that its findings mean merely deleting that application is no guarantee the CCleaner backdoor wasn't used to plant a secondary piece of malware on their network, one with its own, still-active command and control server. It wound up installed on more than 700,000 computers. Researchers now believe that the hackers behind it were bent not only on mass infections, but on targeted espionage that tried to gain access to the networks of at least 18 tech firms.Įarlier this week, security firms Morphisec and Cisco revealed that CCleaner, a piece of security software distributed by Czech company Avast, had been hijacked by hackers and loaded with a backdoor that evaded the company's security checks. But now it's becoming clear exactly how bad the results of the recent CCleaner malware outbreak may be. Hundreds of thousands of computers getting penetrated by a corrupted version of an ultra-common piece of security software was never going to end well. Update: On September 25, Avast confirmed that of the 18 companies targeted, a total of 40 computers were successfully infected with a secondary malware installation at the following companies: Samsung, Sony, Asus, Intel, VMWare, O2, Singtel, Gauselmann, Dyn, Chunghwa and Fujitsu. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |