Posted on March 14, 2018 at 7:59 AM

2017 CCleaner Attack may have had a Third Phase

Last year, CCleaner was hacked, and infected with malware. The software that was supposed to be keeping millions of users safe, was indeed leaving the backdoor open to cybercriminals. When Avast acquired Piriform and did the routine upgrading and checking of their newly purchased network, they found a two-phase attack embedded in the network, with a possible third phase in the making.

Newly Acquired Problems

It’s any cybersecurity company’s worst nightmare. The software that thousands of users rely on to protect them has been hacked, leaving users vulnerable. CCleaner, versions V5.33.6162 and Cloud V1.07.3191 had been infected with malware last fall. These programs are installed on over 2.25 million computers, now vulnerable to keylogging, data collection, and activity monitoring. The maker, Avast, has been working hard to uncover how and why this happened on their network. They have discovered 40 machines on their network that also have versions of malware with downloader capability.

When Avast acquired Piriform, the original maker of CrapCleaner, in July of last year, they had no idea this type of issue would soon be on their hands. In August, the malware was discovered, and teams began unraveling what had happened. According to researchers at Avast and Kaspersky Lab, it is believed that Chinese cyber espionage group Axiom is behind the attack. The malware was initially spread on the Piriform network between March and July of 2017.

Remote control access on the Piriform network

Researchers have found two solid phases of the attack, and have an inkling about what a third phase might’ve been, had the attack gone unchecked. While they have not found third stage binary on any machines to date, they have found older versions of the first and second stage binary. In these older versions, 4 machines were being directed to download something called ShadowPad. ShadowPad was installed on those 4 machines in April of last year. ShadowPad is a malware that allows for the remote takeover of a machine, as well as keylogging and data stealing.

The software was first discovered in August of last year when researchers at Kaspersky discovered a backdoor in NetSarang’s server management package. According to Kaspersky Lab, ShadowPad is able to execute random code, create processes, and maintain a virtual file of the system registry. These activities are all stored in encrypted locations unique to each target. At this time, it is not clear if the CCleaner attack was meant to infect all 40 Piriform machines with ShadowPad, but researchers will continue investigating and keep us up to date.

The version of ShadowPad that has been discovered seems to have been custom built for Piriform. Attackers would have been able to collect all necessary login credentials and any operations behaviors of the targeted machine. In addition to keylogger tools, the hackers also installed a password stealer and tools with the ability to install more software and plugins. Had Avast not caught this invasion, the issue could have gotten much worse than it is, and the nightmare could’ve ended CCleaner altogether.