Cyber security company Avast continues to investigate the 2017 supply chain attacks involving clean-up tool CCleaner. For a month last summer, Advanced Persistent Threat (APT) attackers are reported to have maliciously modified versions of CCleaner and CCleaner Cloud at source, before being downloaded by 2.27 million customers worldwide. The attackers then selected a small number of high profile technology and telecommunications companies to receive a secondary payload.
Avast’s ongoing investigation has now revealed that CCleaner developer Piriform (acquired by Avast in July) was probably compromised as early as March 2017, although no information is given about the original attack vector.
The investigation also points to a possible third stage of the malware that may have been distributed via the CCleaner attack: once on the Piriform network, the attackers deployed a tool known as Shadowpad, which included keylogging and password stealing functionality, as well as other tools, to allow them to progress their attack remotely. The same tool may have been deployed to those customers who received the secondary payload.
Avast also details the steps it has taken to remove the threat from the Piriform network.