As the investigation continues into the backdoor planted inside CCleaner, two members of parent company Avast’s threat intelligence team said today the desktop and cloud versions of the popular software contained different payloads.
The revelation was made during a talk at Virus Bulletin 2017 during which Jakub Kroustek and Jiri Bracek shared technical details on the attack, primarily about the command and control infrastructure used for communication, as well as some insight on the targets and hinted that there may be other stages of this attack that have yet to be uncovered.
Kroustek and Bracek said there are likely more than the three stages of this attack that have been discussed so far; each stage to date has been a downloader grabbing the next phase of the operation. IP addresses housing these stages are hidden, either encrypted with custom cryptographic algorithms or tucked away on phishing sites or purpose-built Github or WordPress pages that are scanned by the malware in order to piece together clues as to the IP addresses holding the next stage.
More evidence seems to point toward this being a targeted attack with only 40 installations of the second stage payload reported to Avast out of more than 2.27 million customers who received a compromised version of the PC maintenance software.
“This suggests it was very targeted and used only against a specific group of users,” Bracek said.
The researchers shared a list of domains from the malware suggesting that if a compromised machine from one of those domains connected it would receive the second stage payload. Those domains include Samsung, Microsoft, Sony, Akamai and others indicating that espionage could be the goal of this attack.
Meanwhile, it appears that the attackers behind this campaign were fairly agile in updating their code as the campaign progressed. For example, CCleaner version 5.33 and CCleaner Cloud 1.7.0 contained different payloads.