11/11/2022 0 Comments Ccleaner malware threat report![]() ![]()
While we have confirmed that the number of systems affected by the backdoor was large based upon beacon information stored within the MySQL database, the attackers were specifically controlling which infected systems were actually delivered a Stage 2 payload. The use of domain-based filtering further indicates the targeted nature of this attack. The attacker used a symlink to redirect all normal traffic requesting 'index.php' to the 'x.php' file, which contains the malicious PHP script. The contents of the web directory taken from the C2 server included a series of PHP files responsible for controlling communications with infected systems. #Ccleaner malware threat report updateThese findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system. These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. This would suggest a very focused actor after valuable intellectual property. Interestingly the array specified contains Cisco's domain () along with other high-profile technology companies. php file were seen communicating with a secondary C2 or had a secondary payload deployed. Not all companies identified in the targets. ![]() Below is a list of domains the attackers were attempting to target. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. #Ccleaner malware threat report codeIn analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files. Initially, we had concerns about the legitimacy of the files. #Ccleaner malware threat report archiveDuring our investigation we were provided an archive containing files that were stored on the C2 server. Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. This information should be considered preliminary and will be updated as research continues. Note: This blog post discusses active research by Talos into a new threat. This post was authored by Edmund Brumaghin, Earl Carter, Warren Mercer, Matthew Molyett, Matthew Olney, Paul Rascagneres and Craig Williams. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |