- #Ccleaner malware high level archive
- #Ccleaner malware high level code
- #Ccleaner malware high level windows
But, they pointed out, this information cannot be relied on for attribution. The researchers found another thing that points towards China: the C&C server’s configuration specifies “PRC” (People’s Republic of China) as the time zone. It is believed that Group 72 is a state sponsored actor backed by the Chinese government.
#Ccleaner malware high level code
What are the attackers after?Ĭisco researchers posit that the attackers are after valuable intellectual property.Īn overlap of code used in these malware samples and malware previously used by Group 72 (aka Axiom), a long standing threat actor that has been known to target high profile organizations with high value intellectual property in the manufacturing, industrial, aerospace, defense, and media sectors in the US, Japan, Taiwan, and Korea.
#Ccleaner malware high level windows
Here, a different mechanism is used on Windows 7+ than on Windows XP.”Īnother thing that points to the attackers’ high level of sophistication is that the DLLs piggyback on other vendors’ code by injecting the malicious functionality into legitimate DLLs (one is part of Corel’s WinZip package, and the other a part of a Symantec product).
“The second part of the payload is responsible for persistence. Subsequently, the address of the CnC server can also be arbitrarily modified in the future by sending a special command, recognized by the code as a signal to use the DNS protocol (udp/53) to get address of the new server,” Avast’s CEO and CTO explained. “Much of the logic is related to the finding of, and connecting to, a yet another CnC server, whose address can be determined using three different mechanisms: 1) an account on GitHub, 2) an account on WordPress, and 3) a DNS record of a domain (name modified here).
The second stage payload uses two components (DLLs): the first component contains the main business logic, and the second part of the payload is responsible for persistence. They posit that the actual number of computers that received the second stage payload “was likely at least in the order of hundreds.” But, as they noted, the number of compromised hosts and companies is likely higher, as the list was probably changed over the month or so the server was active.Īvast also arrived to the same conclusion. They also identified 20 unique hosts at eight (unnamed) companies that received the second stage payload that followed the CCleaner backdoor compromise. Of these some 540 are government systems around the world, and 51 belong to domains containing the word “bank” in their name.
#Ccleaner malware high level archive
A stealthy, targeted attackĪccording to Cisco, their actual targets were computers at a number of huge tech companies like Intel, Microsoft, Linksys, Dlink, Google, Samsung and Cisco, telecoms such as O2 and Vodafone, and (the odd man out) Gauselmann, a manufacturer of gaming machines.Ĭisco researchers came to this conclusion after analyzing an archive containing files that were stored on the attackers’ C&C server, and finding the list of domains the attackers were attempting to target:Īccording to their findings, some 700,000 hosts were saddled with the backdoored CCleaner. There is a new twist in the CCleaner hack saga: the attackers apparently didn’t set out to compromise as many machines as possible, but were after some very specific targets.
0 kommentar(er)
