Fill Out This Form To Receive Your FREE Report


Sign Me Up For
The Free Assessment


CCleaner Hackers Had Intended To Deploy Keylogger In Third Stage Code

Last year, the CCleaner utility was found to have been compromised. Malware investigators are still pursuing a backdoor that was planted on this utility last 2017. As per Avast, they said that the backdoor threat developers have install a third round code of ShadowPad malware on compromised computers.

Antivirus company Avast acquired the maker of CCleaner Piriform last July has been continuing to investigate the malware attack on the cleaning tool. While the company has not found evidence of a third stage binary on infected computers, it has found evidence of “what the intended third stage might have been,” according to Avast speaking at Kaspersky Lab’s Security Analyst Summit last week.

This malware has crept through Piriform’s servers somewhere between March and July 2017.

Avast in September brought the issue to light, saying that the 32-bit versions of CCleaner V5.33.6162 and CCleaner Cloud V1.07.3191 – which had been installed on up to 2.27 million computers – had been infected by malware collecting data such as computer names and lists of installed software and running processes. In addition to data collection, Avast said that the malware also had downloader capabilities which were active on 40 PCs.

After their announcement, they pretty much believe that Chinese cyber espionage group Axiom was the perpetrator of the said attack.

The threat from the Piriform network was taken care of and now, Avast started consolidating, and inspecting their infrastructure and equipment. Found the preliminary versions of the stage one and stage two binary on a few computers, and on four more computers on the Piriform network, the company found evidence of a specialized multi-purpose and modular malware framework called ShadowPad being installed.

ShadowPad is a cyber attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and data exfiltration.

Hron said that the tool was installed on (4) four Piriform computers on April 13th, 2017 after Avast found log files of ShadowPad which were encrypted keystrokes from a keylogger installed on the computers.

Upon comparison of the code of the ShadowPad tool, it has been found that this version found on their computers is a custom-built one and was intended to target only Piriform. They seem to have collected all the credentials, operations and planning information from the compromised computers.

Aside from the keylogging function, other tools got installed on the (4) four computers mentioned which included a password stealer and a tool providing capacities to install further software and plugins on the targeted computer remotely.

The original ShadowPad malware was discovered by researchers from Kaspersky Labs when they have found a backdoor in NetSarang’s server management package. The researchers said that the modular platform could download and execute arbitrary code, create processes, and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim.

As of now, Avast is still trying to find if there are any payload that might have been distributed over the infected computers. it is not clear if it was the attacker’s intention to attack all 40 of them just a few or none. Avast will continue investigating the data dumps from the computers, and will post an update as soon as we learn more,” the company said.



Was this helpful?

As we value quality over quantity, we have focused our unified Business I.T. services only to Arizona specifically in Phoenix, Scottsdale, Glendale Metro areas.

Our technicians are available the very instant you call us; thereby, ensuring no interruption of your usual business operations. In case you can’t access our contact page, our phone support is always available to cater to your calls. Just give us a ring at 480-464-0202

Written by

No Comments Yet.

Leave a Reply


[contact-form-7 id="5555" title="Mobile Form"]