The attackers who infected 2.27 million machines last year using a modified version of the computer maintenance app CCleaner were able to pull off the supply chain attack by gaining unauthorised access to the developer's network using the remote desktop access program TeamViewer.
Ondrej Vlcek, EVP and GM of the consumer business unit at Avast Software, the company that acquired CCleaner's developer Piriform in July 2017, disclosed the attack investigation's latest findings in a blog post released last week in conjunction with a presentation he led at RSA 2018 in San Francisco.
The initial intrusion, possibly the handiwork of the Chinese APT group Axiom (aka APT 17 or Group 72), preceded Avast's acquisition of CCleaner by approximately four months. In his post, Vlcek states that the threat actors first accessed Piriform's network in the early-morning hours of 11 March 2017 by logging in via TeamViewer software that had been installed on a developer's workstation.
"They successfully gained access with a single sign-in, which means they knew the login credentials," writes Vlcek, theorising that the same credentials may have been used for several other applications and at some point could have been leaked.
According to Vlcek, the attackers used a VBScript (Microsoft Visual Basic Scripting Edition) file to drop an initial backdoor payload, before moving laterally to a second computer and compromising its registry with a malicious binary, plus an older version of a second-stage malware used for persistence and command-and-control communications. Two days later, the first workstation also received this second-stage payload.
Then in April, after weeks of silence, the actors made their next move, introducing a third-stage payload -- a customised version the cyber-criminal tool ShadowPad, which gives attackers remote control, keylogging and password stealing capabilities. Ultimately, the adversaries delivered the malware to four Piriform computers as a mscoree.dll library disguised as a .NET runtime library.
"The attackers applied several techniques to infiltrate other computers in the internal network, including using passwords gathered by the keylogger, and logging in with administrative privileges through the Windows Remote Desktop application," states Vlcek.
The attackers patiently waited a full five months before finally smuggling their malware into a CCleaner build that went out to unsuspecting victims in August 2017. While essentially all victims were infected with the initial backdoor payload, only about 40 PCs operated by high-tech and telecommunications companies were further infected by the second-stage malware, while the third-stage malware had not yet been distributed by the time the scheme was exposed one month later.
Since Avast's discovery of the ShadowPad executable on the four Piriform computers, a subsequent analysis and VirusTotal file search turned up two more instances of the malware - one in South Korea and one in Russia.
The former was uploaded to VirusTotal on Dec. 27, 2017 and was created to communicate with C&C servers hosted by what was likely a hacked PC based in South Korea's Konkuk University. The latter targeted a computer run by an organisation involved with the distribution of public budgets. Avast observed that this organisation's financial transaction data, originally entered into Microsoft Firefox, had been recorded by ShadowPad's keylogger component. While this data was public information, Avast believes it is likely the malware also successfully accessed sensitive information.
"The oldest malicious executable used in the Russian attack was built in 2014, which means the group behind it might have been spying for years," states Vlcek. "The examples of ShadowPad in South Korea and Russia re-emphasise that ShadowPad has been active for a long time, and it is frightening to see how ShadowPad can spy on institutions and organisations so thoroughly."