Piriform attackers were planning a third stage of the CCleaner malware attack - Avast

Only 40 high-tech and telecoms companies were targeted in second-stage attack, claims Avast following forensic examination

Security researchers at anti-virus software firm Avast have released more details about the compromise of CCleaner last year, via the servers of Piriform, a company it had just acquired.

According to Avast, new evidence suggests that the hackers behind the CCleaner attack were planning to install a third round of malware on computers that they had compromised after cracking Piriform's CCleaner update servers.

Speaking at the Security Analyst Summit in Mexico last week, the company explained that it has continued to investigate the attack since it emerged in May 2017.

The security company recorded two stages of the malware attack in 2017. It said: "The first stage included downloader capabilities, which were used to download a second stage binary onto just 40 PCs out of the millions of devices infected with stage one."

However, it now believes that the attackers were preparing a third one. "We have found evidence of activity that could indicate what the intended third stage of the attack could have looked like," the company claimed.

While up to 2.27 million CCleaner consumers and businesses had downloaded the infected CCleaner product, the attackers installed the malicious second stage on just 40 PCs operated by high-tech and telecoms companies

To eradicate the threat, Avast said it had transferred the Piriform build environment to Avast infrastructure and replaced all of the company's hardware.

"We consolidated and inspected the Piriform infrastructure and computers, and found preliminary versions of the stage one and stage two binaries on these," said the researchers.

When analysing the malware, the researchers also came across a cyber-attack platform called ShadowPad. They said it is used by cyber criminals to "deploy in victims' networks to gain remote control capabilities".

By installing a tool like ShadowPad, the cybercriminals were able to fully control the system remotely while collecting credentials and insights into the operations on the targeted computer

They explained: "The tool was installed on the four Piriform computers on April 12th, 2017, while the preliminary version of stage two had been installed on the computers on March 12th, 2017.

"By installing a tool like ShadowPad, the cybercriminals were able to fully control the system remotely while collecting credentials and insights into the operations on the targeted computer."

Avast said the attackers installed the software on the Piriform network, but it did not affect CCleaner customers in the first two stages. That would have changed in the third stage, though.

"While up to 2.27 million CCleaner consumers and businesses had downloaded the infected CCleaner product, the attackers installed the malicious second stage on just 40 PCs operated by high-tech and telecoms companies," revealed the firm.

"We don't have a sample of a possible third stage that might have been distributed via the CCleaner attack, and it is not clear if it was the attacker's intention to attack all 40 PCs or just a few or none.

"We continue investigating the data dumps from the computers, and will post an update as soon as we learn more."