Cisco’s security component Talos has released a new analysis of the CCleaner hack. The company has obtained files from the malware’s command-and-control server showing that the attackers were targeting large tech companies.
In a recent blog post, Talos lists a number of companies that have been targeted by the as-yet-unknown attackers. These are large tech companies, such as Samsung, Sony, Google, Intel, Microsoft and Cisco itself. From this, the researchers conclude that the motive is probably economic espionage, with the advanced attackers after intellectual property. In total, this concerns twenty systems in which the attackers activated the second stage of the malware. Talos does not say whether these were the same companies.
That goes against previous reports, which stated that the second stage of the malware was never activated. Avast confirms this in its own blog post. The first stage consisted of a backdoor in the CCleaner installer, which collected information about infected systems and sent it to the attackers. The second stage, according to Talos, consisted of a file called GeeSetup_x86.dll, which installs a Trojan tool on the system. This patches a legitimate file with malicious code, after which it is possible to execute code in the memory of the system, which should make detection more difficult.
The researchers base their findings on files from the command-and-control server, which is used to control the malware on infected systems. They don’t write how they got their hands on these files. The researchers only report that they initially doubted its authenticity, but later turned out to be legitimate files.
These include, for example, php files that served to communicate with systems on which the malware is present. They also found a MySQL database containing the systems that contacted the c2 server for four days in September. This involved 700,000 systems, 20 of which had received the second stage of the malware. Because the database covers a short period of time, there is a possibility that there were also other targets, Talos warns.
Security firm Kaspersky had previously indicated that the attackers had reused code that had been used in the past by members of the so-called Group 72 or Axiom group, which is said to have ties to China and engage in economic espionage. According to Talos, there are indeed similarities and it would be important information. The company found references to Chinese time zones in the PHP files, but Talos says this is useless for attribution to a particular party.