Earlier, I had posted about the recent Equifax leaks that were reported and could have massive impacts on millions of people in terms of identity theft and fraud transactions.
This week, a new malware was found in the latest version of a popular applications. If you have downloaded or updated your CCleaner application for your operating system in the last week, your computer is at risk of getting compromised.
In the past week, Talos reported that CCleaner, an application used to clean disk space, boost RAM usage and safe browsing, has been injected with a two-staged backdoor malware code that was running a code to access details about the computer and the network and send them to an external IP address 216.126.x.x (this address was hardcoded in the payload) via a HTTPS POST request. The code then read a reply from the same IP address, providing it with the functionality to download a second stage payload from the aforementioned IP address. The second stage payload is received as a custom base64-encoded string, further encrypted by the same XOR-based encryption algorithm as all the strings in the first stage code.
In case the IP address becomes unreachable, a backup in the form of DGA (domain name generator) activates and is used to redirect communication to a different location. So. the CCleaner malware could potentially be still active even after the hacker’s web server has been taken down and could create new domains and continue send compromised information to the attackers.
This is a type of malware commonly categorized as a Supply chain attack. They are particularly harmful since they rely on the trust relationship between supplier and the customer. The attackers even had digitally signed certificates issued by Piriform, which indicates an even bigger threat. After analyzing CCleaner’s Command and Control (C2) server, the server that valid versions are connected to, researchers found that the malware was targeting big tech companies including Cisco, VmWare, Sony and Microsoft to name a few. This could be devastating since anyone from the company’s internal staff could have downloaded the innocuous software update and everything about their internal network would have been known to the attackers.
This attack could be even more dangerous given the popularity of CCleaner. The application was downloaded 2 million times and according to experts, around 700,000 PCs could be affected.
“These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system,” the researchers say.
Merely updating the application would not be effective for people who’s device has already been exposed. Hence, affected companies that have had their computers infected with the malicious version of CCleaner are advised to restore their operating system from a previous backup.
Good informative article.worth reading.keep it up.