This IP address apparently does nothing and its purpose is unknown because the malware does not use it. A DGA computed IP address was found at the following location in the registry: Talos also identified what is believed to be a software bug in malicious code related to the C2 function. CCleaner malware indicators of compromise: registry keys What is certain is that the version containing the infected loads has been removed and is no longer available for download. With the fact that the software installer was validly signed, along with the presence of this malicious compilation artefact attached, several hypotheses have been thought about the malware and how it became part of the system. S:\workspace\ccleaner\branches\v5.33\bin\CCleaner\Release\CCleaner.pdb.In its analysis, Talos found the following compilation artefact in the CCleaner binary: The malicious installer was signed using a certificate issued to Piriform Ltd by Symantec, with validity date until 10/2018. The infected CCleaner version 5.33 was distributed through the official CCleaner download site, using a software installer that could trick most security solutions. Getting to understand the CCleaner malware incident It remains a mystery if the CCleaner version update released on September 12th, 2017 was related to the necessity of removing malware or if removing the backdoor from the distribution repository happened only after the notification by Cisco on September 13th, 2017. We have confirmed that this malicious version of CCleaner was hosted directly on CCleaner’s download server as of September 11, 2017. Since then, it is now estimated that over 700,000 machines were infected and may still be receiving command
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |