1/3/2024 0 Comments Ccleaner malware breakdowqn"These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system," the researchers say.įor those who are unaware, the Windows 32-bit version of CCleaner v and CCleaner Cloud v were affected by the malware, and affected users should update the software to version 5.34 or higher. So, affected companies that have had their computers infected with the malicious version of CCleaner are strongly recommended to fully restore their systems from backup versions before the installation of the tainted security program. Just removing the Avast's software application from the infected machines would not be enough to get rid of the CCleaner second stage malware payload from their network, with the attackers' still-active C2 server. Removing Malicious CCleaner Version would Not Help However, this evidence alone is not enough for attribution.Ĭisco Talos researchers also said that they have already notified the affected tech companies about a possible breach. "The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT 'umbrella'," tweeted director of Global Research and Analysis Team at Kaspersky Lab.Ĭisco researchers also note that one configuration file on the attacker's server was set for China's time zone, which suggests China could be the source of the CCleaner attack. The researchers believe the secondary malware was likely intended for industrial espionage.ĬCleaner Malware Links to Chinese Hacking GroupĪccording to the researchers from Kaspersky, the CCleaner malware shares some code with the hacking tools used by a sophisticated Chinese hacking group called Axiom, also known as APT17, Group 72, DeputyDog, Tailgater Team, Hidden Lynx or AuroraPanda. Having the rug pulled out from a legitimate download like this makes it much harder for those with little security knowledge to know where to turn to protect themselves online.The CCleaner hackers specifically chose these 20 machines based upon their Domain name, IP address, and Hostname. Piriform was purchased by the anti-malware company Avast in July while a fellow anti-malware firm, Symantec, issued the infected CCleaner download with its valid security certificate. If you don’t have one or aren’t sure which to opt for, these are some of our favorites.Įven if the ramifications of it are swiftly countered though, one of the worst aspects of this sort of exploit is that they could reduce the trust people have in legitimate sources and institutions. It would also be a good idea to run standard anti-virus and anti-malware checks with your chosen security software. It suggests anyone running either version update to the latest release, which has been confirmed infection free. It warns that anyone running CCleaner version and CCleaner Cloud version could be affected. Piriform, the software’s developer, has since issued an apology for the exploit affecting so many of its customers. As Talos describes in its breakdown of the malware attack, it first lays dormant to avoid automated detection systems, before checking to see if it has. It then looks to connect to several other domains, leading to the potential download of more malicious software. If not, it shuts itself down to avoid detection, but if it does, it proceeds to gather information on the system and then sends it to a remote server for later collection. As Talos describes in its breakdown of the malware attack, it first lays dormant to avoid automated detection systems, before checking to see if it has admin access. The payload for this malware attack has several tasks once installed. Whether it’s hijacking legitimate distribution accounts, or in this case the download servers themselves, it leaves the victims vulnerable to infection even if they observe proper personal security practices. It appears to have been an exploit of the CCleaner installer’s download server, meaning that whenever anyone downloaded the software via official means, they also unwittingly downloaded a piece of malware.Īlthough malware of all types is most commonly spread through phishing attacks like infected attachments and phony links, a tactic which is seeing a lot of success is infecting trusted platforms. Although solid personal security choices are a major component in protecting yourself online, they aren’t always enough.įor possibly as long as a month, the CCleaner system maintenance application has been distributing malware through its official channels.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |