Tuesday, December 3, 2024
HomeSecurity NewsAvast Shares CCleaner Hack Investigation Report that Reveals Third Stage Payload with...

Avast Shares CCleaner Hack Investigation Report that Reveals Third Stage Payload with Keylogger Capabilities

Published on

SIEM as a Service

Avast shared the CCleaner hack investigation report at the Security Analyst Summit in Mexico, researchers said the malware was installed on the built servers of Piriform who developed the CCleaner.

According to Avast report, 2.27 customers installed the altered version of the CCleaner and the malware introduced in Piriform servers sometime between March 11 and July 4, 2017, which is prior to Avast acquisition.

Incident Overview – CCleaner hack

The first stage of the payload that collects user information and controls second stage binary installed in millions of devices, whereas the second-stage installed only in 40 computer out of millions which makes it as the highly targeted attack on sensitive networks.

- Advertisement - SIEM as a Service

The third stage of the payload is the ShadowPad that cybercriminals install in the victims’ network to gain remote access.

CCleaner hack
Image Credits: Avast

Avast Says “To eliminate the threat from the Piriform network, we migrated the Piriform build environment to the Avast infrastructure, replaced all hardware and moved the entire Piriform staff onto the Avast-internal IT system.”

With further investigation they found ShadowPad installed in four Piriform computers on April 12th, 2017, possibly stage two downloader downloaded the ShadowPad and C&C servers were shutdown at the time of the investigation.

They also found ShadowPad log files contains encrypted keystrokes from the keylogger installed in the computer back on April 12th, 2017.

By having the tools like shadowpad in the computer attackers can gain complete remote access, record keystrokes and install malicious software on the computer remotely.

Researchers believe Chinese hacker group, Axiom, the group likely behind the CCleaner attack.According to their investigations until today the third stage of payload was not installed on any of the CCleaner customers computers.

We continue investigating the data dumps from the computers, and will post an update as soon as we learn more“, Avast said.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...

ElizaRAT Exploits Google, Telegram, & Slack Services For C2 Communications

APT36, a Pakistani cyber-espionage group, has recently upgraded its arsenal with ElizaRAT, a sophisticated...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Poison Ivy APT Launches Continuous Cyber Attack on Defense, Gov, Tech & Edu Sectors

Researchers uncovered the resurgence of APT-C-01, also known as the Poison Ivy group, an...

Hackers Can Secretly Access ThinkPad Webcams by Disabling LED Indicator Light

In a presentation at the POC 2024 conference, cybersecurity expert Andrey Konovalov revealed a...

“Bootkitty” – A First Ever UEFI Bootkit Attack Linux Systems

Cybersecurity researchers have uncovered the first-ever UEFI bootkit designed to target Linux systems.This...