The threat actor that recently compromised the supply chain of the CCleaner software to distribute a tainted version of the popular software targeted at least 20 major international technology firms with a second-stage malware.
When experts first investigated the incident did not discover a second stage payload, affected users were not infected by other malware due to initial compromise.
“In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. Below is a list of domains the attackers were attempting to target.” reads the analysis published by Cisco Talos.
The list of domains targeted by hackers is long and included:
The analysis of the C&C server revealed that nearly 700,000 machines were infected by the tainted version of CCleaner, and at least 20 machines were infected with the second-stage payload. The machines infected with the secondary malware were targeted based upon their Domain name, IP address, and Hostname, this circumstance suggests that attackers most likely were conducting an industrial espionage operation.
“The C2 MySQL database held two tables: one describing all machines that had reported to the server and one describing all machines that received the second-stage download, both of which had entries were dated between Sept. 12th and Sept. 16th. Over 700,000 machines reported to the C2 server over this time period, and more than 20 machines have received the second-stage payload. It is important to understand that the target list can be and was changed over the period the server was active to target different organizations.” continues Talos.
“During the compromise, the malware would periodically contact the C2 server and transmit reconnaissance information about infected systems. This information included IP addresses, online time, hostname, domain name, process listings, and more. It’s quite likely this information was used by the attackers to determine which machines they should target during the final stages of the campaign.”
Who is the culprit?
Talos experts note that one configuration file on the C&C server was set for China’s time zone, which suggests China-based attackers could be behind the CCleaner attack.
According to the researchers from Kaspersky, the malicious code used in the CCleaner incident has similarities with the hacking tools used by a the APT17 group, aka Axiom, Group 72, DeputyDog, Tailgater Team, Hidden Lynx or AuroraPanda.
— Costin Raiu (@craiu) September 19, 2017
Cisco Talos notified the affected tech companies about a possible security breach.
(Security Affairs – CCleaner, malware)