12/23/2023 0 Comments Ccleaner piriformLeft: decrypted configuration of the virus showing the IP address used in the attack image credit: Avast Based on how the sample was uploaded and the information included, we think a user uploaded it to VirusTotal, rather than a security company. It was created to communicate with CnC servers hosted by Konkuk University in South Korea, probably on a hacked PC. The sample that was uploaded to VirusTotal from South Korea was uploaded on December 27, 2017. We found two samples, one that appeared in South Korea and the other in Russia. ![]() ShadowPad active in South Korea and RussiaĪfter analyzing the ShadowPad executable from the Piriform network, we looked for similar files on VirusTotal. ![]() It’s interesting it took them so long before they initiated their attack on CCleaner users. Avast acquired Piriform on Jand the first CCleaner build with the malicious payload appeared on August 2, 2017. The attackers were in the Piriform network five months before they snuck the malicious payload into the CCleaner build. This was just eight days before it was installed on the Piriform computers, meaning it was customized for the attack, which we also described in earlier blog posts in March and September. This library, which was stored on the disk, had a time stamp on it, revealing that the version of ShadowPad we found was compiled on April 4, 2017. It was delivered as a mscoree.dll library to four computers in the Piriform network, including a build server, masking as a. The payload delivered was the infamous ShadowPad, which we believe was intended as the third stage of the CCleaner attack. The attackers applied several techniques to infiltrate other computers in the internal network, including using passwords gathered by the keylogger, and logging in with administrative privileges through the Windows Remote Desktop application. ![]() We believe that the threat actors prepared the malicious binaries during the period of inactivity. The attackers moved back to the first computer, infecting it with older versionĪfter several weeks of apparent inactivity, the next stage of the payload was delivered to the first infected computer. Two days later, the attackers went back to the first computer, also infecting it with the older version of the second stage malware. Lateral movement to second computer on March 12 The payload delivered was an older version of the second stage malware, which was delivered to 40 CCleaner users. The attackers opened a backdoor through Microsoft’s Remote Desktop Service, delivering a binary and payload to the computer’s registry. The next day, March 12, 2017, the attackers moved laterally onto a second computer, again targeting an unattended computer outside of work hours (4 AM local time). How attackers tried to get into the 1st computer On the third try, the attackers succeeded to drop the payload, using VBScript, the scripting language developed by Microsoft. The attackers tried to install two malicious dlls, however, the attempts were unsuccessful due to lack of admin rights to the system. While we don’t know how the attackers got their hands on the credentials, we can only speculate that the threat actors used credentials the Piriform workstation user utilized for another service, which may have been leaked, to access the TeamViewer account.Īccording to the log files, TeamViewer was accessed at 5 AM local time, when the PC was unattended, but running. They successfully gained access with a single sign-in, which means they knew the login credentials. To initiate the CCleaner attack, the threat actors first accessed Piriform’s network on March 11, 2017, four months before Avast acquired the company, using TeamViewer on a developer workstation to infiltrate. CCleaner attack: How the threat actors got into the Piriform network Our investigation revealed that ShadowPad had been previously used in South Korea, and in Russia, where attackers intruded a computer, observing a money transfer. As we looked for similarities with other attacks, we also analyzed older versions of ShadowPad, the cyber attack platform we had found on four Piriform computers. Since the update we gave at SAS last month, we have made further discoveries about how the attackers infiltrated the Piriform network and the tactics they used to fly under the radar. Thereafter, our threat intelligence team has been investigating what happened. The modified installation file was downloaded by 2.27 million CCleaner customers worldwide. ![]() Last September, we disclosed that CCleaner had been targeted by cybercriminals, in order to distribute malware via the CCleaner installation file. Today, I shared new findings from Avast’s continued investigations of the CCleaner APT (Advanced Persistent Threat) at RSA. Unrelated to the CCleaner attack, Avast also found ShadowPad samples active in South Korea and Russia, logging a financial transaction
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |