Cisco's security limb Talos has probed the malware-laden CCleaner utility that Avast so kindly gave to the world and has concluded its purpose was to create secondary attacks that attempted to penetrate top technology companies. Talos also thinks the malware may have succeeded in delivering a payload to some of those firms targeted.
The malware that made its way into CCleaner gathers information about its host and sends it to what Talos calls the "C2 server". Whoever is behind the malware then reviews the hosts its code has compromised. It then tries to infect some of those hosts with what Talos characterises as "specialized secondary payloads".
Those payloads sometimes seek out top tech companies: Talos said this week its examination of code on the C2 server lists targets including Cisco, Microsoft, Sony, Intel, VMware, Samsung, D-Link, Epson, MSI, Linksys, Singtel and the dvrdns.org domain, which resolves to dyn.com.
The malware aimed at those companies creates a backdoor into machines it infects, suggesting to Talos "a very focused actor after valuable intellectual property". The researchers also propose that China could be the source of the attack, noting that the malware specifies use of Peoples Republic's timezone and that it shares code with tools associated with hackers believed to be Chinese known as "Group 72", which was thought to be involved in previous attacks attempting IP theft.
Talos said it can "confirm that at least 20 victim machines were served specialized secondary payloads". The firm doesn't name the victims or specify that they are any of the tech companies named above, as its researchers say the list of target companies changes. Cisco informed those it believes have been infected.
Kill it with fire. Twice, if possible
"These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor," Talos said. "These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system."
What are you waiting for, people? Get to those backups now! ®
PS: Avast has now narrowed the CCleaner infection down to 40 PCs within Samsung, Asus, Fujitsu, Sony, O2, Intel, VMware, Singtel and others.