- CCLEANER MALWARE C2 SERVER REINSTALL UPDATE
- CCLEANER MALWARE C2 SERVER REINSTALL CODE
- CCLEANER MALWARE C2 SERVER REINSTALL WINDOWS
Kaspersky and FireEye experts have linked the attack to the hacking group APT 17, noting similarities in the infrastructure with the nation state actor. The second stage of the attack sent keylogging and data collection malware.
Some of the firms focused on in this CCleaner hack include Google, Microsoft, Samsung, Sony, Intel, HTC, Linksys, D-Link, and Cisco. The aim was to obtain access to computers used by staff of tech firms. The majority of devices infected with the first backdoor were consumers, since CCleaner is a consumer-oriented product however, consumers are thought to be of no interest to the attackers and that the CCleaner hack was a watering hole attack.
CCLEANER MALWARE C2 SERVER REINSTALL UPDATE
Avast calculates the number of devices infected was likely “in the hundreds”.Īvast has since released an update saying, “At the time the server was taken down, the attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany.” Avast was able to find out that that 20 machines spread across 8 organizations had the second stage malware delivered, although since logs were only gathered for a little over 3 days, the actual total infected with the second stage was undoubtedly greater.
CCLEANER MALWARE C2 SERVER REINSTALL CODE
On XP, the binary is saved as “C:\Windows\system32\spool\prtprocs\w32x86\localspl.dll” and the code uses the “Spooler” service to load.”Īvast discovered that the malware was an Advanced Persistent Threat that would only send the second-stage payload to specific users.
CCLEANER MALWARE C2 SERVER REINSTALL WINDOWS
Avast commented, “On Windows 7+, the binary is dumped to a file called “C:\Windows\system32\lTSMSISrv.dll” and automatic loading of the library is ensured by autorunning the NT service “SessionEnv” (the RDP service). The second payload differed depending on the operating system of the infiltrated system. The second stage malware did execute in some instances.
Avast said in a blog post that simply updating to the new version of CCleaner – v5.35 – would be enough to delete the backdoor, and that while this seemed to be a multi-stage malwareĪdditional analysis of the CCleaner hack has revealed that was not so, at least for some users of CCleaner. Quick action was taken after the discovery of the CCleaner hack to take down the hacker’s server and a new malware-free version of CCleaner was released. Avast’s analysis indicated this was a multi-stage malware, capable of downloading a second-stage payload however, Avast did not believe the second-stage payload ever was activated. The real targets were technology companies and the goal was industrial espionage.Īvast, which purchased Piriform – the developer of Cleaner – in the summer, revealed earlier this month that the CCleaner v build released on August 15 was used as a distribution vehicle for a backdoor. The amount of users infected with the first stage malware may have been be high, but they were not being focused on. The attack was much more complex and bears the characteristics of a nation state actor. The CCleaner hack that saw a backdoor placed into the CCleaner binary and shared to around 2.27 million users was far from the work of a rogue staff member.
0 kommentar(er)
