CCleaner malware: Tech companies targeted by second stage payload

Domains of high-profile tech firms including Microsoft, Google and Samsung were targeted

Anti-virus software maker Avast has shifted its stance over the malware that compromised its PC maintenance tool, CCleaner. It has now admitted that the malware was vastly more sophisticated than it originally believed, stating that a second stage targeted payload was delivered to hundreds of PCs, at the very least.

Earlier this week, researchers from Cisco's Talos Intelligence claimed that CCleaner had been compromised in August and September in a supply-chain attack, modifying the download to deliver malware to unsuspecting victims.

Avast then sought to clarify some of the details about the malware, but played down Cisco Talos' involvement in finding the breach, as well as the number of users affected.

The attack was an Advanced Persistent Threat (APT) programmed to deliver the second stage payload to select users

It had said that based on an analysis of machines that used Avast's security software, it believed that the second stage payload never activated, and therefore the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary. It claimed at the time that users therefore did not need to restore the affected machines to pre-August 15, when the attack had supposedly begun.

Now, after a subsequent blog post in which Cisco Talos researchers confirmed that at least 20 victim machines were served specialised secondary payloads in four days in September, Avast's CEO Vince Steckler and CTO Ondrej Vlcek, have admitted that further analysis of the data from the command and control server has proved that the attack was an Advanced Persistent Threat (APT) programmed to deliver the second stage payload to select users.

Avast said that the server logs indicated 20 machines in a total of eight organisations to which the second stage payload was sent. However, it said that as the logs were collected for little over three days, the actual number of computers that received the second stage payload "was likely at least in the order of hundreds".

"This is a change from our previous statement, in which we said that to the best of our knowledge, the second stage payload never delivered," it said.

While Avast said that it would not disclose the list of targeted companies publicly "for privacy reasons", Cisco said that the domains the attackers were attempting to target included those held by HTC, Sony, Samsung, Intel, VMware, Microsoft, Vodafone, Google, D-Link, Linksys, Akamai and even Cisco itself.

Cisco said that the array of high-profile tech companies suggested it was "a very focused actor after valuable intellectual property".

Steckler and Vlcek said that the techniques used demonstrated the attacker's high level of sophistication. They said that Avast was working with law enforcement to trace back the source of the attack.

"We are committed to getting to the bottom of who is behind this attack. While providing routine periodic updates, our energies are focused on catching the perpetrators. Our approach is to do all of this in the background, to increase our chances of identifying the perpetrator," they said.

In another dig at Cisco Talos, the company said:

"We believe nothing is served by being too noisy, e.g. stating who was targeted and/or compromised and it is up to the target to choose when to disclose."

Cisco said the new findings supported and reinforced its previous recommendation that those impacted by the supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.

However, Avast said it stood by the recommendation to upgrade CCleaner to the latest version (now 5.35). It said that the decision may be different for corporate users and will depend on corporate IT policies.