Following the recent CCleaner malware incident, Avast (the new owner of CCleaner) and Cisco’s Talos Intelligence security research group have continued to analyze the attack. The two found that the malware was more sophisticated than originally thought and was targeting large companies to steal their intellectual property.
Advanced Persistent Threat
Avast concluded that the malware was in fact a type of attack called an advanced persistent threat (APT), which is a sophisticated attack usually launched by nation states. The APT that infected CCleaner was supposed to deliver a second-stage payload only to select victims.
Of the 2.27 million users who installed the infected CCleaner version, Avast believes that only a few hundred were also infected by the second-stage payload. Avast had previously said that it believes the second stage payload was never deployed, but the company has now walked back that statement.
Large Companies Targeted
The antivirus maker stated that the APT targeted large technology and telecommunications companies from Japan, Taiwan, UK, Germany, and the U.S. via a watering hole attack, which is an attack that targets popular websites or tools used by millions, only to infect a few targets that may also use those same tools. The name is taken from the real world where some predators wait for an opportunity to pick their prey from the animals that come to drink water at a watering hole.
Avast didn’t want to say who were the targets of this attack, but Cisco revealed a list of targets the attackers were attempting to hack. Besides Cisco itself, the list includes Intel, HTC, Samsung, Sony, VMware, Microsoft, Vodafone, Epson, Linksys, MSI, Akamai, and a few others.
Complex Obfuscated Code
According to Avast, the second-stage payload contains complex and obfuscated code and includes two DLL components. The first component comes with anti-debugging and anti-emulation mechanisms, and its purpose seems to be finding another command and control (C2) server.
The C2 server’s address could be modified in the future, which means that it may not be enough that law enforcement shut down the original C2 servers. The attackers may be able to regain control of the infected machines and continue to control them remotely through a new another server.
The second part of the second-stage payload is responsible for persistence on the operating system, and they seem to be piggybacking on other vendors’ applications to avoid detection and maintain persistence. The 32-bit version of the code embeds itself into a Winzip package, whereas the 64-bit one uses a Symantec dll. Most of the malicious code is delivered from the registry. Avast noted that all of these techniques demonstrate a high level of sophistication from the attacker.
Attribution is difficult for cyber attacks, as sophisticated attackers can often make it look as if someone else did it by re-using other attackers’ code or hacking styles. They may effectively hide behind reused IP addresses by launching their attacks from computers they hack in a given country. This is also why Avast is reluctant to say for sure who the attackers were right now, but it promised to continue to work with law enforcement to find out who was responsible.
However, Cisco and Kaspersky were both able to confirm that the malware uses code that overlaps with malware code used by “Group 72,” also called “Deep Panda,” “Axiom,” and “Shell Crew.” Group 72 is believed to be a cyber espionage group funded by the Chinese government, and it’s also believed to be responsible for stealing 80 million U.S. social security numbers from health insurance company Anthem.
Avast initially suggested that it should be enough to update to the clean version of CCleaner, but Cisco recommended that it would be safer to restore from backups and reimage the systems. Avast also recommends updating to CCleaner 5.35, as the company has now also revoked the Symantec certificate it was using to sign the infected 5.33 version as well as the cleaned-up 5.34 version.