Inside the CCleaner Backdoor Attack

MADRID—As the investigation continues into the backdoor planted inside CCleaner, two members of parent company Avast’s threat intelligence team said today the desktop and cloud versions of the popular software contained different payloads.

The revelation was made during a talk at Virus Bulletin 2017 during which Jakub Kroustek and Jiri Bracek shared technical details on the attack, primarily about the command and control infrastructure used for communication, as well as some insight on the targets and hinted that there may be other stages of this attack that have yet to be uncovered.

Kroustek and Bracek said there are likely more than the three stages of this attack that have been discussed so far; each stage to date has been a downloader grabbing the next phase of the operation. IP addresses housing these stages are hidden, either encrypted with custom cryptographic algorithms or tucked away on phishing sites or purpose-built Github or WordPress pages that are scanned by the malware in order to piece together clues as to the IP addresses holding the next stage.

Source: Threatpost