Malware Found in CCleaner Designed for Large-Scale Cyber Espionage
Researchers report today that the malware discovered this month in certain hacked versions of CCleaner and CCleaner Cloud was designed to conduct cyber espionage attacks on a massive scale. It looks like the threat is much more severe than initially assumed as large technology companies like Microsoft, Google, Intel, and Sony have been the main target of the malicious payload embedded in the two versions of the CCleaner and the CCleaner Cloud.
Researchers from Cisco’s Talos security have now analyzed the second payload of the malware that was written of the subroutines. For this second part, it was previously not known what role it had in the malware’s operations. After verifying the authenticity of the archived files from the C2 server that were provided for analysis, Talos researchers found a list of organizations in the delivery code that were probably the main target of the malware authors. The list includes companies like Cisco, Samsung, and Sony, whereby the attackers planned to install a special second-stage loader to machines belonging to these companies. Reviewing the C2 tracking database showed that at least 20 of the targeted machines actually received the specialized secondary payloads. According to Talos, the technical analysis of the malware suggests that its author has developed a very sophisticated attack that targets high-profile technology companies, obviously with the intention of stealing valuable intellectual property.
The CCleaner malware was detected in the middle of this month when the security team of Piriform detected some suspicious communication between the CCleaner products and an unknown IP address, leading to the discovery that two versions of the cleaning and optimization tools were modified with a malicious payload. The company analyzed the modified code and found out that the purpose of the attackers was to collect user data from infected systems and to grant unauthorized access to these machines. Initially, the company claimed the malware was discovered before it could impose any damage, yet now things turn out to be more complicated.
It was known right from the beginning the affected CCleaner versions were injected with the malware before their public release, yet now the researchers also found out that the infected versions were available for public download for around a month before the malware detection. Given the popularity of the CCleaner, and the fact that many users have installed it at work on their corporate computers, the malware could have already infected a huge number of systems worldwide. It is believed that large companies have already been breached as estimation show that around 700.000 computers have been infected with the CCleaner malware.
The new findings published by the Talos researchers will definitely raise the level of concern about the CCleaner malware. Also, it will not be sufficient for affected users to just update their CCleaner versions with the released patches, as initially claimed by Piriform. Since the payload found in the CCleaner could have dropped other malware on the infected machines, the experts suggest restoring the entire system from backups in order to assure that it is completely clean. The authors of this malware have not yet been identified, yet there are indications the hacking Group 72 could stay behind the attack.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.