Backdoor trojan found in CCleaner

walden, system, systems, walden systems, rita, firewall, port, forward, up, protect, intrusion, security, traffic, DMZ, block, protection, walden systems, walden, systems, network, fire, wall, hack, intrusion, cisco, router, network, switch, hub, IoT, traffic
Rita gives you full control of what sites your employees visit. Rita can block sites that eat up your precious bandwidth such as media streaming sites. Rita enables you full control of what sites your employees can and cannot visit. Rita gives you the ability to block undesirable sites by wildcard or by name. Rita gives you the ability to determine which computers will be blocked and which will be allowed. With Rita, you can block access to sensitive servers within your LAN.



     Investigations continue into a backdoor that was planted in the CCleaner utility in 2017, Avast state it found that the hackers behind the attack were planning to install a third round of ShadowPad malware on compromised computers. Avast acquired the maker of CCleaner in July, stated that it has been investigating the malware attack on the PC cleaning tool CCleaner since it was first reported in September 2017. Even though the company didn't found any evidence of a third stage binary on compromised computers, it found evidence of what the intended third stage might be. Avast found that the malware spread to Piriform's build server sometime between March and July of 2017. Avast reported the hack in September, stating that the 32-bit versions of CCleaner and CCleaner Cloud has been inected by malware. More than 2 million computers had installed CCleaner or CCleaner Cloud. The malware has been collecting data like computer names, lists of installed software, and running processes. Avast stated that the malware also had downloader capabilities which were active on 40 PCs.

     While leaning the threat from the Piriform network, Avast started integrating and inspecting the Piriform infrastructure and computers. This is when Avast found the preliminary versions of the stage one and stage two binary on them. Avast found traces of a specialized, multi purpose, modular malware frameworkd called ShadowPad on four computers on the Piriform network. Avast found an older version of stage two inside the network itself trying to download a tool called ShadowPad.




     ShadowPad is an attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and access secure data. Avast found that the tool was installed on the four Piriform computers on April 13th, 2017 when they found log files of ShadowPad which were encrypted keystrokes from a keylogger program installed on the computers. The version of the ShadowPad tool was custom-built for Piriform. In installing a tool like ShadowPad, the hackers were able to control the system remotely and collect all the credentials and insights into the operations on the targeted computer. Other tools were also installed on the four computers, including a password stealer, and tools that provide capacities to install further software and plugins on the targeted computer remotely.

     ShadowPad was first found in August after IT security experts found a backdoor in NetSarang's server management software package. Researchers state that the modular platform could download, execute arbitrary code, create processes, and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim. Avast doesn't have a sample of the third stage code that the CCleaner hack any computers, and it's not clear if it was the hacker's intention was to attack all 40 of them just a few. Avast is continuing to investigate the data dumps from the computers and will post an update as soon as we learn more.