"These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system," the researchers say.įor those who are unaware, the Windows 32-bit version of CCleaner v and CCleaner Cloud v were affected by the malware, and affected users should update the software to version 5.34 or higher. So, affected companies that have had their computers infected with the malicious version of CCleaner are strongly recommended to fully restore their systems from backup versions before the installation of the tainted security program. Just removing the Avast's software application from the infected machines would not be enough to get rid of the CCleaner second stage malware payload from their network, with the attackers' still-active C2 server. Removing Malicious CCleaner Version would Not Help However, this evidence alone is not enough for attribution.Ĭisco Talos researchers also said that they have already notified the affected tech companies about a possible breach. "The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT 'umbrella'," tweeted director of Global Research and Analysis Team at Kaspersky Lab.Ĭisco researchers also note that one configuration file on the attacker's server was set for China's time zone, which suggests China could be the source of the CCleaner attack. The researchers believe the secondary malware was likely intended for industrial espionage.ĬCleaner Malware Links to Chinese Hacking GroupĪccording to the researchers from Kaspersky, the CCleaner malware shares some code with the hacking tools used by a sophisticated Chinese hacking group called Axiom, also known as APT17, Group 72, DeputyDog, Tailgater Team, Hidden Lynx or AuroraPanda. All users of Windows 7 should be cautious of such suspicious emails and avoid opening enclosed ISO files.The CCleaner hackers specifically chose these 20 machines based upon their Domain name, IP address, and Hostname. It is worth noting that hackers cannot exploit Windows 10 or 11 through DLL side-loading technique, and therefore, they can only target systems running Windows 7. When the victim opens the shortcut, the spoofed Calculator app opens, and the system gets infected with QBot malware via Command Prompt. A hacker managed to infiltrate the official build of CCleaner during the development process to design malware to steal user data. LNK shortcut linked to the Calculator app. The affected products are the free version CCleaner 5.33 and Cloud which include domain generation algorithm and command and control function. When the email recipient opens the ISO file, it executes a. Two DLL files are also present in the archive- WindowsCodecs.dll and 7533.dll, which contain the malicious payload. LNK file.Īccording to the researcher, this file is a spoofed version of the Windows Calculator app’s file (calc.exe). This attachment contains a password-protected ZIP archive with an ISO file containing a. It surfaced as a banking trojan at first and not has become a preferred choice of ransomware gangs due to its constant evolution into a powerful malware distribution platform.Īccording to Bleeping Computer, the malware is deployed through emails in which it is hidden in an HTML file attachment. What is QBot?įor your information, QBot is a Windows malware strain. Since Calculator is a trusted program in the Windows system, the security software fails to detect the malware so that the malicious malware can evade detection. This file is stored in a folder and loaded in place of the original file by the system. It is a typical form of attack in which a hacker exploits the Dynamic Link Libraries by creating a fake version of the legit DLL file. The app is exploited for DLL side-loading hacks. QBot malware has been exploiting the Windows 7 Calculator app since at least 11 July 2022. Windows Calculator App Distributing Malware The researcher noted that infecting PCs this way can also make it easier for cyber crooks to launch malspam (malicious spam) campaigns. Security researcher ProxyLife reported that hackers are infecting Windows PCs with QBot malware, and the malicious code is distributed via Windows Calculator. QBot malware (aka QakBot) is targeting devices using Windows OS in a rather unconventional manner. According to researcher “ProxyLife” on Twitter, QBot malware, aka QakBot, has been exploiting the Windows 7 Calculator app since at least 11 July 2022.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |