CCleaner attackers wanted to install keylogger and password thief
According to Avast, there were three stages to last year’s attack on CCleaner. In that last step, which the attackers failed to perform, the attackers allegedly wanted to install keyloggers and a password thief via the ShadowPad tool.
The Avast researchers don’t have hard evidence for plans for a third step in the attack, but they have analyzed logs that indicate an additional stage. The researchers will release details of their investigation into the CCleaner contamination at the Security Analyst Summit.
After the acquisition of Piriform, Avast owns the popular cleaning tool CCleaner and is investigating the attack on that software from September last year. In that incident, attackers managed to penetrate Piriform’s systems and add a backdoor to CCleaner, which consisted of two components.
The first component aimed to collect information such as the name of the affected system and installed software and send it to a command and control server. The second component had to smuggle code into the system and execute it. More than 2.27 million PCs worldwide have downloaded the custom CCleaner installer, but of those infected systems, only 40 PCs have downloaded the second component.
The Avast researchers found the ShadowPad tool on four computers within the Piriform network. This tool is used by attackers to gain control over attacked systems. The researchers suspect that the second component of the attack has brought in ShadowPad for a third stage. They also believe that Axiom, the alleged group behind the attack, modified ShadowPad specifically for the Piriform operation. Axiom is said to have ties to China and engage in economic espionage.
ShadowPad logs show that a keylogger was running on the four computers that, among other things, kept track of Visual Studio keystrokes. In addition, a program was installed via the tool to steal passwords and to install further software and ShadowPad plug-ins. According to Avast, ShadowPad was only put on the four computers and not on consumer PCs, but it thinks further distribution was the goal.