![]() ![]() “The second part of the payload is responsible for persistence… Structurally, the DLLs are quite interesting because they piggyback on other vendors’ code by injecting the malicious functionality into legitimate DLLs.”Īffected users were urged not merely to remove the CCleaner or update to the latest version, but to restore from backups or re-image systems to ensure that they completely remove both the backdoored CCleaner version and any other malware that may be on the system. “Much of the logic is related to the finding of, and connecting to, a yet another CnC server, whose address can be determined using three different mechanisms: 1) an account on GitHub, 2) an account on Wordpress, and 3) a DNS record of a domain (name modified here),” explained Steckler and Vlcek. The complex second-stage payload comes in two parts: the first contains the main business logic and is heavily obfuscated, using anti-debugging and anti-emulation techniques to stay hidden from security tools. However, a screenshot provided by Cisco Talosshowed a number of domains that the attackers were looking to compromise, including ones linked to Sony, Microsoft, VMware, Vodafone, O2, Singtel, Linksys, Gmail, D-Link, Intel, Samsung, HTC and Cisco itself.Ĭisco suggested this evidence reveals “a very focused actor after valuable intellectual property.” “Given that CCleaner is a consumer-oriented product, this was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were,” said the duo.Īvast refused to name the targets publicly. The initial attack affected 2.27 million CCleaner customers, meaning the collateral damage was huge. Server logs indicate eight tech and telecoms firms received the payload, with potentially hundreds of machines infected – although only 20 were spotted during the three days logs were collected for, according to an update from Avast CEO, Vince Steckler and CTO Ondrej Vlcek. We’re passionate about what we do and proud to serve millions of users around the world, and as were owned by Avast one the worlds largest digital security companies our industry-leading software practices ensure that our apps are designed and developed to run safely on your devices. Updates from both Cisco Talos and Avast – the company which now owns CCleaner developer Periform – explained that, contrary to initial impressions, a second stage payload was delivered from the C&C server. A cyber-attack revealed this week which spread via popular performance optimization tool CCleaner was designed to target several major technology firms, it has emerged.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |