Earlier this week, we reported on news that the popular system maintenance app CCleaner had been infected by malware for nearly a month. We now know the attack was worse than initially thought. The CCleaner malware could be used to deliver a second-stage payload that would run on local systems and perform various tasks. This isn’t an unusual malware feature, but researchers didn’t think the capability had been used in this case. We now know that it was, and that some of the internet’s biggest players were targeted.
We now know how many computers were affected — 2.27 million total, which is far less than the 5 million per day that was originally estimated based on CCleaner’s download popularity. But that’s about the only good news in the entire situation. Here’s how Avast, which owns CCleaner, describes the situation:
[T]he server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds. This is a change from our previous statement, in which we said that to the best of our knowledge, the 2nd stage payload never delivered.
Talos Intelligence has published a list of targeted domains over the few days for which it has data. The list reveals a swath of targeted companies, including internal Microsoft domains, Samsung, Sony, Intel, Google, Cisco, and D-Link. Given that this list only covers three days out of more than 20 days the malware was active, it’s likely that other companies were also hit.
A list of probed targets. Some are internal networks.
Avast reports that the secondary payload was highly f0cused, heavily obfuscated to avoid automatic detection, and was designed to connect to a CnC server that could be shifted to one of any number of domains. Taking command-and-control servers offline is one of the most effective ways to stop an outbreak; a malware package that can repeatedly reconnect to a list of servers is more likely to remain active in the face of such action.
The DLLs inside the payload are fairly interesting. They inject malicious code directly into other legitimate DLLs and save their own malicious code directly into the registry. This is not a fly-by-night attack or casual probe. The malware and delivery method were sophisticated attempts to penetrate specific companies, likely looking for further exploits or backdoors.
Research into the attack is ongoing. As of this writing, the various companies investigating the malware are not certain if any secondary payloads were successful in stealing information or not. If you want to dig into the details of the malware, we recommend Talos Intelligence’s blog post (linked above), which contains more low-level information than Avast’s.
Now read: 20 Best Privacy Tips