The overall layout is neatly organized, and you should encounter no issues in keeping an eye on your remote machines. Once this step has been completed, all workstations are accessible via the dedicated web-based dashboard so you can remotely perform a wide range of actions. ![]() To make the most of this utility, you first need to create an account and download the client application that you later install on each PC you want to manage. CCleaner Cloud is one of the apps that can help you achieve this since you can remotely install apps, clean junk files or defragment them from the same interface. ![]() This is why remotely managing them can prove a lifesaver. There was even a backup DGA (domain generation algorithm) in case the hardcoded IP address could not be reached, but since the domains generated were not controlled by the same person, Piriform deemed that they "do not pose any risk.Taking care of multiple computers can be a time-consuming task, especially for IT departments from companies. All collected information was encrypted by base64 via a custom alphabet, which pinged a hardcoded IP address, signaling the delivery of the second stage of the malicious package. However, the extent of obfuscation of this backdoor went a few steps further. Afterwards, a normal execution of CRT code and main CCleaner continued, resulting in the thread with payload running in the background.This DLL was subsequently loaded and executed in an independent thread.The result (16 kB in size) was a DLL (dynamic link library) with a missing MZ header.It decrypted and unpacked hardcoded shellcode (10 kB large) - simple XOR-based cipher was used for this.Hidden through "encrypted strings" and "indirect API calls", the malicious load was run just before the main application's code, specifically performing the following actions: The two-stage backdoor that was identified was capable of running code from "a 3rd party computer server in the USA" and to cause the transmission of "non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters)".ĭue to the company contacting law enforcement, and the nature of the investigation, the issue hadn't been disclosed previously, however, the unauthorized server was shut down on the 15 of this month. ![]() ![]() About 2.27 million users have been affected, according to Avast CTO, Ondrej Vlcek. Regardless, perhaps a little more concerning that the mismatched timeline, the compromised executable was actually digitally signed using a valid certificate from the developer. Apparently, CCleaner in particular has been a tad of a headache for its parent company recently.Īccording to an announcement on its official blog, Piriform stated that the 32-bit versions of both CCleaner - released on August 14, updated to a non-compromised version September 12 - and CCleaner Cloud - released August 24, updated to a non-compromised version on September 15 - were part of a "security incident".Īlthough Piriform states that it discovered some suspicious activity on September 12 and issued an update for CCleaner the same day, researchers at Cisco Talos state that they informed Avast of the issue relating to the two aforementioned programs on September 13. A mere two months ago, Czech antivirus company Avast acquired Recuva, Speccy, and CCleaner developer Piriform for an undisclosed amount of money.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |