CCleaner malware delivered secondary payload to select targets

Earlier this week researchers at Cisco Talos discovered that version 5.33 of popular PC maintenance tool CCleaner contained malware.

In an update by both Talos and Avast itself, it has been revealed that the malware was far more dangerous than first believed.

“Analysis of the data from the CnC [command and control] server has proven that this was an APT (Advanced Persistent Threat) programmed to deliver the 2nd stage payload to select users,” Avast said on its blog.

The number of machines infected with the second payload is said to be “in the order of hundreds” and Cisco Talos reports that at least 20 machines were targeted.

The attackers also targeted the domains of  large tech companies such as Samsung, MSI, Cisco and Dlink among others. Avast did not disclose whether any of these firms were successfully targeted (for good reason) but says that it is working with companies and providing them with additional support.

Both Avast and Cisco Talos have expressed a greater level of concern following the discovery of a second stage payload.

Much like the initial malware the second stage gathered information such as the OS version but also reported the host and domain name of the network as well as whether the infected user had administrative rights.

This second stage attack means that simply deleting the infected files won’t be enough. Cisco Talos recommends users restore their system using backups or format and start from scratch.

It’s worth noting that CCleaner version 5.34 has not been compromised but Avast recommends updating to version 5.35 of the software.


[Source – Avast, Cisco Talos] [Image – CC BY 0 Public Domain Pixabay]


About Author


Related News