Inventive Hackers Hit CCleaner, but It Isn`t the End: The Third Stage of Their Malicious Campaign
Hackers hit CCleaner, using a backdoor, their plans also included infection of Google, Cisco, Microsoft and other networks with the help of ShadowPad keylogger.
The Avast investigators informed about sensational last year`s CCleaner incident. According to the report represented at SAS conference in Mexico, intruders attacked CCleaner infrastructure and penetrated into the backdoor utility. Moreover, they planned to infect computers by the third variant of their malware.
This incident took place in September, 2017, when researchers revealed that info stealer was penetrated into 32-bit versions of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. As experts said, this malware product hit approximately 2,7 million computers, however, it stole only background information such as computer name and data on the domain.
As it turned out later, the info stealer implementation was only the first stage of a large-scale campaign intended to identify what computers belong to the internal networks of such large technology companies as Google, Cisco, Oracle, Intel, Akamai, Microsoft, etc. During the second stage, attackers infected with malicious software only 40 computers of these networks. Experts also stressed that responsibility for these attacks lies with the cyber-crime Axiom group, presumably of the Chinese origin.
The report at Mexico conference demonstrated that the strategy of attackers also involved the third stage. The researchers also detected the third type of malware on Piriform employees` computers (the CCleaner development company, which belongs to Avast from July, 2017) that operates there since April 12, 2017. Specialists also emphasized that hackers used the Piriform network for the main inbreak of their malicious campaign.
We are talking about the multifunctional ShadowPad modular framework. Malware have a whole set of plug-ins, designed for various purposes. In particular, they function as backdoors, keyloggers and info stealers. Judging by the log files from infected Piriform computers, in this case hackers intended to use ShadowPad as a keylogger.
Experts take the view that ShadowPad was meant to be used at the third stage of this malicious campaign. Nevertheless, security researchers identified the infected version of CCleaner before the launch of this stage, and fortunately, the plans of attackers were destroyed.