![]() If the machine’s active directory domain matched a pre-defined list of targeted domains, the software was instructed to download the second stage payload, a trojanized binary. The information was then then encrypted and sent to a hardcoded command & control (C&C) server with an external IP address of 216126]225148. The malicious software automatically collected the following information about compromised machines: host name, IP address, active directory domain, a list of installed software, network adapters, and if the currently connected user was a local administrator. This malicious code then stored several unique identifiers from the backdoored machines in the following registry location: The modified version of the CCleaner decrypted and unpacked shellcode, which resulted in a modified DLL executing on the system. The malicious code was in the common runtime (CRT) initialization code inserted during compilation. However, based on the attacker’s level of sophistication and the length of time the compromised software was available for download, all clients are advised to quickly identify hosts that had downloaded the affected versions of CCleaner and re-image the machines.Ī modification of the 32-bit CCleaner binary resulted in a two-stage backdoor allowing attackers remote control of affected computers in organizations that were specifically targeted. The command and control server was taken down by US Law enforcement on the 15th of September. This trojan provided attackers remote administrative access to the compromised systems. If the infected computer’s active directory domain matched a list of domains being actively targeted by the attackers, the software then downloaded a second stage payload, a trojan, from the server. The malicious code included with these versions of CCleaner automatically transmitted the machines host name, IP address, active directory domain, a list of installed software, network adapters, and other information to a command and control (C&C) server in the United States. The following 32-bit versions of CCleaner were compromised and included the malicious backdoor:Īvast, Piriform’s parent company has determined that the malicious versions of the software were downloaded by approximately 2.27 million people. The compromised versions included a malicious backdoor which stealthily communicated with a command and control server and could allow malicious actors to take remote control of systems with affected versions of CCleaner installed. The compromised versions were available for download from August 15th until September 12th. On September 18, 2017, CCleaner’s developer, Piriform, announced that recent versions of the CCleaner and CCleaner Cloud software had been compromised via a supply chain attack. Piriform’s CCleaner modified to deliver malicious backdoor
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |