Trojanized CCleaner Investigation: Lucky BreakBackup Server Reveals Secondary Malware Hit Intel, VMware, Fujitsu and Others
Researchers investigating the infection of hundreds of thousands of computers with a trojanized version of a popular software utility, CCleaner, have had a lucky break that gives greater insight into the hackers' goals.
The trojanized version of CCleaner gave unknown attackers the ability to potentially push secondary malware onto any infected system they desired. But the command-and-control server used by attackers had a small hard drive, and when it was recovered by Avast - with the help of law enforcement agencies - it was only storing three days' of attack data, listing 18 targeted companies.
Now, however, researchers at Czech anti-virus vendor Avast, which owns Piriform - the British developer of CCleaner - have gained access to a second server storing data that has revealed a list of additional computers that may have been hit with secondary malware by attackers.
CCleaner is a popular Windows utility designed to tidy up hard drives and flush temporary files.
The CCleaner incident represents one of most feared kinds of cyberattacks - attackers messing with a trusted supply chain. In this case, hackers infiltrated a server that distributes CCleaner and replaced the legitimate installer with a trojanized version that contained malicious, hidden code designed to create a stealthy backdoor on the system. The malicious version even carried a valid digital signature, making it appear to be legitimate.
Between Aug. 15 and Sept. 15, 2.27 million Windows computers were infected with trojanized CCleaner software, including machines at major technology companies. Cisco's security arm, Talos, has found that affected companies included Akamai, D-Link, Google, HTC, Intel, Linksys, Microsoft, Samsung, Sony, VMware and even Cisco itself (see Trojanized Avast CCleaner Attack Targeted Major Tech Firms).
Cisco released those names after analyzing the command-and-control server used to relay instructions to machines infected with the tampered version of CCleaner. But as noted, the server's hard drive only contained data for the last three days' worth of attacks.
Backup Server Found
Avast, however, now says the attackers had been backing up the data off the server, before it apparently had crashed around Sept. 10. The backup, which the anti-virus vendor obtained, includes lists of infected computers stretching back to Aug. 18, although one 40-hour window remains missing, Avast says in a Monday update on its security investigation.
The backup server provides valuable new insights, because it tells researchers how many computers received the second-stage payload. Researchers suspect that while 2.27 million computers were infected with a trojanized version of CCleaner, the attackers were only interested in specific companies - mostly large technology or telecommunications firms - which they targeted with additional malware.
Hence what may have looked like an attempt to infect as many computers as possible now appears to involve a "shotgun" style initial infection designed to enable attackers to handpick a small selection of high-value targets. Indeed, only 40 of the 2.27 million infected computers appear to have received a secondary payload, in what was a "truly targeted attack," according to Avast.
Secondary Payload Targets
The greatest number of PCs - 13 - infected by the secondary malware were located at Chunghwa Telecom of Taiwan. Japan's NEC had 10 infected computers, and South Korea's Samsung had five. Other affected companies included Intel, VMware, Asus, Fujitsu, U.K. mobile operator O2, Singapore's Singtel and a German leisure gaming company called Gauselmann.
"We have reached out to all these companies, with the aim of providing them with detailed information about the incident, list of impacted computers, and additional IOCs [indicators of compromise] that can be used to detect the infection and take corrective actions," according to Avast's security update.
The attackers' behavior suggests that they had a predetermined list of targets they wanted to compromise, such as carriers, ISPs, server hosting companies and domain name registrars, Avast says. Those types of organizations could be useful for attackers trying to unleash further supply-chain attacks.
Avast says it is still investigating the secondary payload and what impact it might have.
"Obviously, the fact that the second stage payload has been delivered to a computer connected to a company network doesn't mean that the company network has been compromised," Avast writes. "However, proper investigation is in order and necessary to fully understand the impact and take remediation actions."
Attribution Clues, or False Flags?
Researchers have previously noted that attackers connected to the command-and-control server from proxy connections - mostly in Asia - and that none of the targeted companies are Chinese. In addition, part of the malware bears "striking similarities" to malware previously attributed to a Chinese APT attack group known as APT17, Aurora Panda and Group 72, among other names. None of the secondary payload attacks were directed at Chinese targets. And configuration scripts for the database used in the attack were also set to PRC -People's Republic of China - time.
Based on analysis of the newly recovered database, the attackers appeared to work an eight-hour day, sign off for a while, and then come back online for another five hours. If that's a day job, the time stamps would put them somewhere in Russia, or the eastern parts of the Middle East, Central Asia or India.
But Avast readily acknowledges that trying to derive perpetrators' identity from work or code patterns is inherently flawed. "The problem with all these indications is that they are all very easy to forge: they might have been added simply to make investigation more difficult and to hide the true origin," the company notes.