"CCleaner is used in lots of orgs (even if primarily consumer focused). "FireEye found infrastructure overlap with a nation state threat actor," Christopher Glyer, the chief security architect at security firm FireEye, said in a public discussion on Twitter about the CCleaner incident. It is a sort of umbrella group responsible for many cyberespionage campaigns over many years and which Novetta believes are coordinated by China's intelligence apparatus. However, there is a connection between these the two groups, as they're both tied to a larger cyberespionage organization known in the security industry as Axiom.Īxiom was documented in 2015 by threat analytics firm Novetta in partnership with other security vendors. Raiu also pointed out that while the code overlaps with APT17, the command-and-control infrastructure used matches that of a newer attack group. "The code in question is a unique implementation of base64 only previously seen in APT17 and not in any public repository, which makes a strong case about attribution to the same threat actor," Rosenberg wrote in a blog post. Intezer's technology is specifically designed to find code similarities in malware. Jay Rosenberg, a researcher with security firm Intezer also confirmed that the CCleaner backdoor has code that's identical to that used in APT17's past malware tools. Cisco Systems' Talos group confirmed in a new report Wednesday that at least 20 victim machines belonging to high-profile technology companies were served such secondary payloads. The backdoor program included with CCleaner also attempted to download and execute additional malware from the command-and-control server. If the server was unreachable, the malware would generate random-looking domain names based on a special algorithm and attempt to contact those.Īn earlier version of CCleaner. The backdoor included in the 32-bit versions of CCleaner v and CCleaner Cloud v was designed to gather identifying information about the infected computers and send it to a hard-coded IP address. The group was also behind Operation Aurora, a high-profile attack in 2009 that affected Google and over 30 other companies. Over the years, the group has hacked into government entities, non-government organizations, law firms and companies from various industries, including defense, information technology and mining. Piriform was acquired in July by antivirus maker Avast.Īs far as the malicious code found in CCleaner is concerned, there is overlap with APT17/Aurora, Costin Raiu, director of the Global Research and Analysis Team at antivirus vendor Kaspersky Lab, who analyzed the malware, told me.ĪPT17, also known as DeputyDog, is a cyberespionage group that has been operating for over a decade. The fact that the malicious code was added to CCleaner before it was compiled suggests that hackers gained access to the development infrastructure of Piriform, the company that makes the tool. These malware-laden programs were distributed between August 15 and September 12. On Monday, it was revealed that the official and digitally signed installers for two versions of CCleaner-a utility for removing temporary files and invalid registry entries on Windows computers-contained a backdoor program capable of installing additional malware.
0 Comments
Leave a Reply. |