Sunday, 11 March 2018

Avast: Attackers CCleaner Also Wanted To Install keylogger

The attackers who hacked software company Piriform last year and added a backdoor to the popular CCleaner tool were also likely to install a keylogger on infected systems, according to anti-virus company Avast , which is the owner of CCleaner.

Last September, Avast announced that attackers had hacked CCleaner developer Piriform and added malware to the official version. This infected version was downloaded by 2.27 million users. The malware was added to the Piriform development platform between 11 March and 4 July 2017. The software company was acquired by Avast two weeks later on 18 July.

The first phase of the malware was to gather information about CCleaner users, such as the name of the computer, installed software and active processes. The second phase consisted of downloading additional malware. However, this was done with a select number of machines. Eventually, 40 computers received this additional malware. These included systems from major tech companies such as Intel, Samsung, Sony, Asus, NEC and the South Korean telecom provider Chunghwa Telecom.

There is no evidence that a third step has been carried out, but Avast has now found information indicating that it may have been planned. During the investigation into the hacked Piriform infrastructure, early versions of the first and second phase of the malware were discovered, as well as a tool called ShadowPad. ShadowPad is used by cyber criminals to control computers remotely. The tool was installed on four Piriform computers on April 12, while the second phase of the malware was already installed on March 12.

The older version of the second phase malware connected to a command & control server. The servers were no longer active at the time Avast analyzed the computers, so it is unknown what was downloaded, but given the time window it was probably ShadowPad. The Avast researchers also discovered ShadowPad log files with keystrokes from a keylogger installed on the computers. The keylogger had been active since 12 April and had stored keystrokes of all kinds of programs. The encountered version of ShadowPad appeared to have been specially made. Avast thinks that the attackers who had adapted especially for Piriform.

In addition to the keylogger, the attackers also installed a password builder and tools to install other software. According to Avast, there are no indications that ShadowPad is installed on the computers of CCleaner users. The virus fighter does state that it was the third phase of the attack. It is not known whether the attackers wanted to install the keylogger on all 40 attacked computers in the second phase, or just a few or not at all, this is still in under investigation.

No comments:

Post a Comment