Thursday, March 28, 2024

Avast Shares CCleaner Hack Investigation Report that Reveals Third Stage Payload with Keylogger Capabilities

Avast shared the CCleaner hack investigation report at the Security Analyst Summit in Mexico, researchers said the malware was installed on the built servers of Piriform who developed the CCleaner.

According to Avast report, 2.27 customers installed the altered version of the CCleaner and the malware introduced in Piriform servers sometime between March 11 and July 4, 2017, which is prior to Avast acquisition.

Incident Overview – CCleaner hack

The first stage of the payload that collects user information and controls second stage binary installed in millions of devices, whereas the second-stage installed only in 40 computer out of millions which makes it as the highly targeted attack on sensitive networks.

The third stage of the payload is the ShadowPad that cybercriminals install in the victims’ network to gain remote access.

CCleaner hack
Image Credits: Avast

Avast Says “To eliminate the threat from the Piriform network, we migrated the Piriform build environment to the Avast infrastructure, replaced all hardware and moved the entire Piriform staff onto the Avast-internal IT system.”

With further investigation they found ShadowPad installed in four Piriform computers on April 12th, 2017, possibly stage two downloader downloaded the ShadowPad and C&C servers were shutdown at the time of the investigation.

They also found ShadowPad log files contains encrypted keystrokes from the keylogger installed in the computer back on April 12th, 2017.

By having the tools like shadowpad in the computer attackers can gain complete remote access, record keystrokes and install malicious software on the computer remotely.

Researchers believe Chinese hacker group, Axiom, the group likely behind the CCleaner attack.According to their investigations until today the third stage of payload was not installed on any of the CCleaner customers computers.

We continue investigating the data dumps from the computers, and will post an update as soon as we learn more“, Avast said.

Website

Latest articles

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...

Chinese Hackers Attacking Southeast Asian Nations With Malware Packages

Cybersecurity researchers at Unit 42 have uncovered a sophisticated cyberespionage campaign orchestrated by two...

CISA Warns of Hackers Exploiting Microsoft SharePoint Server Vulnerability

Cybersecurity and Infrastructure Security Agency (CISA) has warned about a critical vulnerability in Microsoft...

Microsoft Expands Edge Bounty Program to Include WebView2!

Microsoft announced that Microsoft Edge WebView2 eligibility and specific out-of-scope information are now included...

Beware of Free Android VPN Apps that Turn Your Device into Proxies

Cybersecurity experts have uncovered a cluster of Android VPN applications that covertly transform user...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles