According to security researchers team at Cisco Talos, the recent CCleaner malware outbreak is much worse than we thought. A second stage payload was found delivered on 20 computers which belong to high-profile technology companies.
According to security researchers team at Cisco Talos, the recent CCleaner malware outbreak is much worse than we thought. A second stage payload was found delivered on 20 computers which belong to high-profile technology companies. The malware’s C&C record shows a secondary payload deployment list which includes organizations like Google, Microsoft, Intel, Vodafone, SinTel, VMware, HTC, Sony, Samsung, D-Link, Akamai, Linksys, and Cisco as their targets. “In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.”
The malware C&C server was taken down after the threat was detected. According to C&C server tracking database from September 12 to 16, at least 20 computers from these organization were served advanced second stage payload. This is based on log database of just four days. The remaining database which hackers pooled from infected computers was deleted on September 12. Now the database for remaining 28 days is lost. Researchers are unable to find out the actual number of computers which received second stage payload. Antivirus firm avast which owns CCleaner has confirmed the reports of second stage payload through a blog post saying that “First of all, analysis of the data from the CnC server has proven that this was an APT (Advanced Persistent Threat) programmed to deliver the 2nd stage payload to select users. Specifically, the server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds. This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered.” From August 15 to September 12, 2.27 million computers were infected on this campaign.This new evidence leads to a sophisticated attack by a group. It is still unknown which group is behind this attack although many predictions are there from various aspects of the industry. According to Cisco Talos, the code which is seen in the malware present in CCleaner is same as that used by the sophisticated hacking group called group 72 or axiom. Now because of the remaining database is deleted and investigators are unable to determine whether there is any other system or companies have backdoors installed in them. Companies whoever installed CCleaner is advised to wipe their systems just to make sure no second stage malware hidden in their networks