At least 40 PCs infected by a backdoored version of the CCleaner disk-maintenance utility received an advanced second-stage payload that researchers are still scrambling to understand, officials from CCleaner's parent company said.

The 40 PCs, belonging to 12 technology companies, including Samsung, Asus, Fujitsu, Sony and Intel, is double the number previously known to have received the advanced follow-on infection. They still represent a miniscule percentage—more precisely, about 0.0018 percent—of the 2.27 million PCs that downloaded the booby-trapped CCleaner update. Avast notified most of the companies that received the stage-two malware and was attempting to contact the remaining victims.
The highly narrow targeting, combined with a list of 13 other technology companies that were also on a short list of organizations attackers targeted, prompted Avast to conclude the CCleaner backdoor was the work of a so-called "advanced persistent threat actor" intent on infecting the networks of large technology companies. Avast is the antivirus provider that acquired CCleaner developer Piriform on July 18, exactly 28 days before August 15, when it began pushing the backdoored version as an update to users.

"Despite the fact that CCleaner is a consumer product, the purpose of the attack was not to attack consumers and their data," Avast researchers wrote in a blog post published Monday morning. "Instead, the CCleaner consumer users were used to gain access to corporate networks of select large enterprises."

The stage-two payload is a relatively complex piece of malware that used a completely different set of command-and-control servers. The code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Researchers from Cisco Systems' Talos Group have said the malware contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Since the middle of last week, researchers have been working to reverse engineer the payload to understand precisely what it does on infected networks.

The complete list of hosting computers that received the mystery payload include:
infected-targets.jpg

While only 12 organizations received the follow-on malware, attackers had hoped to infect an additional 13 organizations. The stage-one malware examined the domains of all 2.27 million infected PCs. It surreptitiously collected a variety of data from each one, including all installed programs, all running processes, the operating-system version, hardware information, whether the user had administrative rights, and the hostname and domain name associated with the system. If the computers were hosted inside one of the 25 targeted networks, the attackers would attempt to infect them with stage two.

The list of 13 companies that were targeted but not successfully infected with stage two are listed below:

uninfected-targets-640x536.jpg

Avast officials said four PCs inside the company's network were among the 2.27 million PCs that received the stage 1 infection. They said they didn't know how many PCs hosted inside the Piriform network might have been infected.

Working 9 to 5

Monday morning's blog post also presented evidence that the still-unidentified hackers behind the attack may have been located in China, India, Russia, or elsewhere in Eastern Europe. The evidence is based on 100 connections the attackers made to the control server and its backup server to perform a variety of administrative tasks, such as installing systems and fix crashed databases. Avast researchers quickly noticed that the logins indicated an eight-hour work day followed by several hours of inactivity and then additional connections later in the evening.

Assuming the administrator's workday started at 8:00 or 9:00 in the morning, the person's location would have been in Russia, elsewhere in Eastern Europe, the eastern part of the Middle East, Central Asia, or India. The lack of logins on Saturdays or Sundays prompted Avast to eliminate Arabic countries. Of the 25 targeted companies, none of them is located in China, India, or Russia. To prevent breaking local laws, hackers seldom target companies in their own country.

Previously, researchers noted a portion of code used in the backdoored CCleaner overlapped with a malware used by a hacking group known both as APT 17 and Group 72, which is believed to operate out of China. A clock on the stage one command-server was also set to a Chinese timezone. None of the information is definitive proof where the attackers may be located.

The new information came from the recovery over the weekend of a database that contains all but about 40 hours of activity from the CCleaner incident, which spanned from August 15 to September 15. The only database that had been available previously contained activity for only the last three and a half days. Avast engineers updated their AV product last Wednesday to detect stage-two infections, and they also scanned a complete list of cryptographically hashed files belonging to all 260 million users of the security software. So far, not a single user has tested positive for stage two.

It's not yet clear what the malware has done to the 12 companies hosting the 40 stage two-infected PCs. It's possible that firewalls, intrusion prevention systems, or other measures may have prevented any network breach. Then again, if those measures didn't prevent infected PCs from receiving the follow-on malware, it's possible the later stages were also able to run as the attackers intended.

The tentative conclusion to be drawn from the newly available information is that the vast majority of people who installed the backdoored CCleaner version probably dodged a potentially serious bullet. Out of an abundance of caution, enterprises—including the 540 government agencies Talos said hosted stage one-infected PCs—should reimage their machines, as should consumers who have the backups and expertise to do so or who can afford to hire a professional to do it for them. Reimaging is a much more thorough response than simply running an AV scan, which can often fail to detect infections. Unless new facts come to light, consumers who don't have these resources are probably OK not reimaging their computers.