The researchers said that the modular platform could download and execute arbitrary code, create processes, and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim.
ShadowPad was first discovered in August after researchers at Kaspersky Lab found a backdoor in NetSarang’s server management software package.
Besides the keylogger tool, other tools were installed on the four computers, including a password stealer, and tools providing capacities to install further software and plugins on the targeted computer remotely.” “By installing a tool like ShadowPad, the cybercriminals were able to fully control the system remotely and collect all the credentials and insights into the operations on the targeted computer. “The version of the ShadowPad tool is custom-built, leading us to the assumption that it was explicitly built for Piriform,” said the company. Hron said that the tool was installed on the four Piriform computers on April 13th, 2017 after Avast found log files of ShadowPad which were encrypted keystrokes from a keylogger installed on the computers. ShadowPad is a cyber attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and data exfiltration.
“It turned out we found an older version of stage two inside the network itself trying to download a tool called ShadowPad,” Martin Hron, security researcher at Avast, told Threatpost during SAS. Then, on four computers on the Piriform network, the company found evidence of a specialized multi-purpose and modular malware framework called ShadowPad being installed. While eliminating the threat from the Piriform network, Avast started consolidating and inspecting the Piriform infrastructure and computers, and found the preliminary versions of the stage one and stage two binary on them. “However, we now have found evidence that leads us to the assumption of what the intended third stage might have been.” “Up until now, we have not found any third stage binary on the affected computers,” the company said.
The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT 'umbrella'.
In September, Avast and Kaspersky Lab’s Costin Raiu said that they believed Chinese cyber espionage group Axiom was behind the attack. In addition to data collection, Avast said that the malware also had downloader capabilities which were active on 40 PCs.
CANCUN, Mexico – As investigations continue into a backdoor that was planted in the CCleaner utility in 2017, Avast said it has found that the threat actors behind the attack were planning to install a third round of ShadowPad malware on compromised computers.Īvast, which acquired the maker of CCleaner Piriform in July, said that it has been continually investigating the malware attack on the popular PC cleaning tool CCleaner (formerly Crap Cleaner) since it was first revealed in September 2017. While the company has not found evidence of a third stage binary on infected computers, it has found evidence of “what the intended third stage might have been,” according to Avast speaking at Kaspersky Lab’s Security Analyst Summit last week.Īccording to Avast, it has found that the malware in question spread to Piriform’s build server sometime between March and July 4, 2017.Īvast in September brought the issue to light, saying that the 32-bit versions of CCleaner V and CCleaner Cloud V – which had been installed on up to 2.27 million computers – had been infected by malware collecting data such as computer names and lists of installed software and running processes.