The company says it has worked to remove affected versions that were being distributed on third-party download sites. It would have been an impediment to the law enforcement agency's investigation to have gone public with this before the server was disabled and we completed our initial assessment," the company said in a statement. "Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done.
Piriform says Avast detected suspicious activity on its download server a day ahead Cisco's notification, but hadn't warned the public until today due to its cooperation with US law enforcement, which involved shutting down the affected server on September 15. As the payload was encrypted, Piriform hasn't explained what it's functionality is, however notes that it has not seen this payload being executed and believes its activation is highly unlikely.
Ccleaner cloud malware update#
"Those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system," the company said.After collecting the data, the malware downloaded a second stage payload from the third-party server.
Ccleaner cloud malware software#
While Avast has recommended that consumers update to a clean version of the software and remove the tainted version, Cisco has gone further in recommendations to companies which may have been involved. Targeting high-profile targets with a seemingly innocuous and innocent piece of software is a clever method, but seeking information from these groups suggests that the general public is not the true focus of the campaign. No damage may have been detected as of yet, but the addition of these C&C instructions does suggest the breach is more serious than first believed. It's important to note that this cannot be relied on for attribution." "Interestingly, this configuration specifies "PRC" as the time zone, which corresponds with People's Republic of China (PRC). "The web server also contains a second PHP file (init.php) that defines core variables and operations used," Cisco says. If a system met the malware's requirements, the second payload would be deployed to create a backdoor and potentially pave the way for attackers to steal information and spy on the target companies.
This information was then stored in an SQL database.
Ccleaner cloud malware series#
The server would implement a series of checks in order to avoid the efforts of security researchers as well as gather information from infected systems, such as OS version, architecture, and whether admin rights were in play. The C&C server contained PHP files responsible for handling communication between infected PCs and threat actors.
"These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor." "This would suggest a very focused actor after valuable intellectual property," the team says. Based on a review of the C&C's tracking database - which covers only four days in September - at least 20 victim machines from these companies were in line to be served secondary payloads.
0 kommentar(er)
