- Oct 23, 2012
- 12,527
A cyber-attack revealed this week which spread via popular performance optimization tool CCleaner was designed to target several major technology firms, it has emerged.
Updates from both Cisco Talos and Avast – the company which now owns CCleaner developer Periform – explained that, contrary to initial impressions, a second stage payload was delivered from the C&C server.
Server logs indicate eight tech and telecoms firms received the payload, with potentially hundreds of machines infected – although only 20 were spotted during the three days logs were collected for, according to an update from Avast CEO, Vince Steckler and CTO Ondrej Vlcek.
Updates from both Cisco Talos and Avast – the company which now owns CCleaner developer Periform – explained that, contrary to initial impressions, a second stage payload was delivered from the C&C server.
Server logs indicate eight tech and telecoms firms received the payload, with potentially hundreds of machines infected – although only 20 were spotted during the three days logs were collected for, according to an update from Avast CEO, Vince Steckler and CTO Ondrej Vlcek.
The initial attack affected 2.27 million CCleaner customers, meaning the collateral damage was huge.
“Given that CCleaner is a consumer-oriented product, this was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were,” said the duo.
Avast refused to name the targets publicly. However, a screenshot provided by Cisco Talos showed a number of domains that the attackers were looking to compromise, including ones linked to Sony, Microsoft, VMware, Vodafone, O2, Singtel, Linksys, Gmail, D-Link, Intel, Samsung, HTC and Cisco itself.
Cisco suggested this evidence reveals “a very focused actor after valuable intellectual property.”
The complex second-stage payload comes in two parts: the first contains the main business logic and is heavily obfuscated, using anti-debugging and anti-emulation techniques to stay hidden from security tools.
“Much of the logic is related to the finding of, and connecting to, a yet another CnC server, whose address can be determined using three different mechanisms: 1) an account on GitHub, 2) an account on Wordpress, and 3) a DNS record of a domain get.adxxxxxx.net (name modified here),” explained Steckler and Vlcek.
“The second part of the payload is responsible for persistence… Structurally, the DLLs are quite interesting because they piggyback on other vendors’ code by injecting the malicious functionality into legitimate DLLs.”
Affected users were urged not merely to remove the CCleaner or update to the latest version, but to restore from backups or re-image systems to ensure that they completely remove both the backdoored CCleaner version and any other malware that may be on the system.