[The Exiled]

Avast Shares New Info on 2017 CCleaner Incident: Possible 3rd Stage Payload

Citiraj:

Speaking at a conference in Mexico, the company's researchers said they uncovered new evidence to suggest that the hackers who breached CCleaner's infrastructure were preparing to deploy a third malware strain on infected computers. This new strain was found on four computers of Piriform employees, Piriform being the company behind the CCleaner app, which Avast bought in July 2017. These infections went back to April 12, 2017, and Avast believes it was used to scout Piriform's network in preparation for the main hack that was to come over the summer. The name of this malware is ShadowPad —a multi-purpose and modular malware framework that comes with many plugins which provide various functionality, such as backdoor features, keylogging, and data exfiltration.

ShadowPad was first spotted by Kaspersky researchers in August 2017 on the servers of NetSarang, a South Korean software maker. According to Kaspersky, an unidentified cyber-espionage group injected ShadowPad in NetSarang's software and was using the malware as a backdoor into infected networks. Avast says it found ShadowPad log files on the four infected Piriform computers. The log files contained encrypted keystrokes, meaning attackers deployed ShadowPad's keylogger plugin. They also found ShadowPad plugins that could steal passwords from local apps, but also other tools that could download additional ShadowPad plugins.

Avast says that today, the CCleaner distribution chain is protected.

Izvor: BleepingComputer