![]() ![]() In analyzing the contents of the PHP files, we identified that the server implemented a series of checks to determine whether to proceed with standard operations or simply redirect to the legitimate Piriform web site. The attacker used a symlink to redirect all normal traffic requesting 'index.php' to the 'x.php' file, which contains the malicious PHP script. The contents of the web directory taken from the C2 server included a series of PHP files responsible for controlling communications with infected systems. These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system. These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor. This would suggest a very focused actor after valuable intellectual property. Interestingly the array specified contains Cisco's domain () along with other high-profile technology companies. php file were seen communicating with a secondary C2 or had a secondary payload deployed. Not all companies identified in the targets. Below is a list of domains the attackers were attempting to target. Based on a review of the C2 tracking database, which only covers four days in September, we can confirm that at least 20 victim machines were served specialized secondary payloads. In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations, including Cisco, that were specifically targeted through delivery of a second-stage loader. However, we were able to quickly verify that the files were very likely genuine based upon the web server configuration files and the fact that our research activity was reflected in the contents of the MySQL database included in the archived files. ![]() Initially, we had concerns about the legitimacy of the files. During our investigation we were provided an archive containing files that were stored on the C2 server. Talos recently published a technical analysis of a backdoor which was included with version 5.33 of the CCleaner application. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |