Search results for ccleaner malware | Breaking Cybersecurity News | The Hacker News

The group of unknown hackers who hijacked CCleaner's download server to distribute a malicious version of the popular system optimization software targeted at least 20 major international technology companies with a second-stage payload. Earlier this week, when the CCleaner hack was reported , researchers assured users that there's no second stage malware used in the massive attack and affected users can simply update their version in order to get rid of the malicious software. However, during the analysis of the hackers' command-and-control (C2) server to which the malicious CCleaner versions connected, security researchers from Cisco's Talos Group found evidence of a second payload (GeeSetup_x86.dll, a lightweight backdoor module) that was delivered to a specific list of computers based on local domain names. Affected Technology Firms  According to a predefined list mentioned in the configuration of the C2 server, the attack was designed to find computer...

Last year, the popular system cleanup software CCleaner suffered a massive supply-chain malware attack of all times, wherein hackers compromised the company's servers for more than a month and replaced the original version of the software with the malicious one. The malware attack infected over 2.3 million users who downloaded or updated their CCleaner app between August and September last year from the official website with the backdoored version of the software. Now, it turns out that the hackers managed to infiltrate the company's network almost five months before they first replaced the official CCleaner build with the backdoored version, revealed Avast executive VP and CTO Ondrej Vlcek at the RSA security conference in San Francisco on Tuesday. 6-Months Timeline of CCleaner Supply Chain Attack Vlcek shared a brief timeline of the last year's incident that came out to be the worst nightmare for the company, detailing how and when unknown hackers breached Pi...

If you have downloaded or updated CCleaner application on your computer between August 15 and September 12 of this year from its official website, then pay attention—your computer has been compromised. CCleaner is a popular application with over 2 billion downloads, created by Piriform and recently acquired by Avast, that allows users to clean up their system to optimize and enhance performance. Security researchers from Cisco Talos discovered that the download servers used by Avast to let users download the application were compromised by some unknown hackers, who replaced the original version of the software with the malicious one and distributed it to millions of users for around a month. This incident is yet another example of supply chain attack. Earlier this year, update servers of a Ukrainian company called MeDoc were also compromised in the same way to distribute the Petya ransomware , which wreaked havoc worldwide. Avast and Piriform have both confirmed that the W...

Like many others, do you also believe that the popular system-cleaning tool CCleaner was performing well before Avast acquired the software from Piriform last year? If yes, then pop-up advertisements in the previous CCleaner software version was not the last thing you have to deal with. Avast has released a new version of CCleaner 5.45 that not only always runs in the background, but also collects information about your system without giving you a way to turn the feature off. CCleaner is a popular application, available in both free and premium versions, with over 2 billion downloads that allow users to clean up their Windows, Mac, and mobile devices to optimize and enhance performance. Last year, CCleaner made headlines when it suffered a massive supply-chain malware attack of all times, wherein hackers compromised its servers for over a month and replaced the original version of the software with the malicious one, infecting over 2.3 million users worldwide. CCleaner ...

Guess what's more expensive than counterfeit United States passports, stolen credit cards and even guns on the dark web? It's digital code signing certificates. A recent study conducted by the Cyber Security Research Institute (CSRI) this week revealed that stolen digital code-signing certificates are readily available for anyone to purchase on the dark web for up to $1,200. As you may know, digital certificates issued by a trusted certificate authority (CA) are used to cryptographically sign computer applications and software, and are trusted by your computer for execution of those programs without any warning messages. However, malware author and hackers who are always in search of advanced techniques to bypass security solutions have been abusing trusted digital certificates during recent years. Hackers use compromised code signing certificates associated with trusted software vendors in order to sign their malicious code, reducing the possibility of their malw...

Digitally signed malware has become much more common in recent years to mask malicious intentions. Security researchers have discovered a new malware campaign misusing stolen valid digital certificates from Taiwanese tech-companies, including D-Link, to sign their malware and making them look like legitimate applications. As you may know, digital certificates issued by a trusted certificate authority (CA) are used to cryptographically sign computer applications and software and are trusted by your computer for execution of those programs without any warning messages. However, malware author and hackers who are always in search of advanced techniques to bypass security solutions have seen been abusing trusted digital certificates in recent years. Hackers use compromised code signing certificates associated with trusted software vendors in order to sign their malicious code, reducing the possibility of their malware being detected on targeted enterprise networks and consumer...

Cybersecurity researchers have detailed the inner workings of ShadowPad , a sophisticated and modular backdoor that has been adopted by a growing number of Chinese threat groups in recent years, while also linking it to the country's civilian and military intelligence agencies. "ShadowPad is decrypted in memory using a custom decryption algorithm," researchers from Secureworks said in a report shared with The Hacker News. "ShadowPad extracts information about the host, executes commands, interacts with the file system and registry, and deploys new modules to extend functionality." ShadowPad is a remote access trojan capable of maintaining persistent access to compromised computers and executing arbitrary commands and next-stage payloads. It also shares noticeable overlaps with the PlugX malware and has been put to use in high-profile attacks against NetSarang, CCleaner, and ASUS, causing the operators to shift tactics and update their defensive measures. ...

Threat actors are increasingly mimicking legitimate applications like Skype, Adobe Reader, and VLC Player as a means to abuse trust relationships and increase the likelihood of a successful social engineering attack. Other most impersonated legitimate apps by icon include 7-Zip, TeamViewer, CCleaner, Microsoft Edge, Steam, Zoom, and WhatsApp, an analysis from VirusTotal has revealed. "One of the simplest social engineering tricks we've seen involves making a malware sample seem a legitimate program," VirusTotal  said  in a Tuesday report. "The icon of these programs is a critical feature used to convince victims that these programs are legitimate." It's no surprise that threat actors resort to a variety of approaches to compromise endpoints by tricking unwitting users into downloading and running seemingly innocuous executables. This, in turn, is primarily achieved by taking advantage of genuine domains in a bid to get around IP-based firewall defenses...

ShadowPad, an infamous Windows backdoor that allows attackers to download further malicious modules or steal data, has been put to use by five different Chinese threat clusters since 2017. "The adoption of ShadowPad significantly reduces the costs of development and maintenance for threat actors," SentinelOne researchers Yi-Jhen Hsieh and Joey Chen  said  in a detailed overview of the malware, adding "some threat groups stopped developing their own backdoors after they gained access to ShadowPad." The American cybersecurity firm dubbed ShadowPad a "masterpiece of privately sold malware in Chinese espionage." A successor to PlugX and a modular malware platform since 2015,  ShadowPad  catapulted to widespread attention in the wake of supply chain incidents targeting  NetSarang ,  CCleaner , and  ASUS , leading the operators to shift tactics and update their defensive measures with advanced anti-detection and persistence techniques. More recently, ...

A massive malware outbreak that last week infected nearly half a million computers with cryptocurrency mining malware in just a few hours was caused by a backdoored version of popular BitTorrent client called MediaGet . Dubbed Dofoil (also known as Smoke Loader), the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mine Electroneum digital coins for attackers using victims' CPU cycles. Dofoil campaign that hit PCs in Russia, Turkey, and Ukraine on 6th March was discovered by Microsoft Windows Defender research department and blocked the attack before it could have done any severe damages. At the time when Windows Defender researchers detected this attack, they did not mention how the malware was delivered to such a massive audience in just 12 hours. However, after investigation Microsoft today revealed that the attackers targeted the update mechanism of MediaGet BitTorrent software to push its trojanized version (m...

Remember the CCleaner hack ? CCleaner hack was one of the largest supply chain attacks that infected more than 2.3 million users with a backdoored version of the software in September 2017. Security researchers today revealed another massive supply chain attack that compromised over 1 million computers manufactured by Taiwan-based tech giant ASUS. A group of state-sponsored hackers last year managed to hijack ASUS Live automatic software update server between June and November 2018 and pushed malicious updates to install backdoors on over one million Windows computers worldwide. According to cybersecurity researchers from Russian firm Kaspersky Lab , who discovered the attack and dubbed it Operation ShadowHammer , Asus was informed about the ongoing supply chain attack on Jan 31, 2019. After analyzing over 200 samples of the malicious updates, researchers learned that hackers did not want to target all users, instead only a specific list of users identified by their uniq...

Cybersecurity researchers have  disclosed  a series of attacks by a threat actor of Chinese origin that has targeted organizations in Russia and Hong Kong with malware — including a previously undocumented backdoor. Attributing the campaign to  Winnti  (or APT41), Positive Technologies dated the first attack to May 12, 2020, when the APT used LNK shortcuts to extract and run the malware payload. A second attack detected on May 30 used a malicious RAR archive file consisting of shortcuts to two bait PDF documents that purported to be a curriculum vitae and an IELTS certificate. The shortcuts themselves contain links to pages hosted on Zeplin, a legitimate collaboration tool for designers and developers that are used to fetch the final-stage malware that, in turn, includes a shellcode loader ("svchast.exe") and a backdoor called  Crosswalk  ("3t54dE3r.tmp"). Crosswalk, first documented by FireEye in 2017, is a bare-bones modular backdoor capable of carry...

Cybersecurity researchers today uncovered new details of watering hole attacks against the Kurdish community in Syria and Turkey for surveillance and intelligence exfiltration purposes. The advanced persistent threat behind the operation, called StrongPity , has retooled with new tactics to control compromised machines, cybersecurity firm Bitdefender said in a report shared with The Hacker News. "Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking," the researchers said. With the timestamps of the analyzed malware samples used in the campaign coinciding with the Turkish offensive into north-eastern Syria (codenamed Operation Peace Spring ) ...

Cybersecurity researchers have found a number of GitHub repositories offering cracked software that are used to deliver an information stealer called RisePro. The campaign, codenamed  gitgub , includes 17 repositories associated with 11 different accounts, according to G DATA. The repositories in question have since been taken down by the Microsoft-owned subsidiary. "The repositories look similar, featuring a README.md file with the promise of free cracked software," the German cybersecurity company  said . "Green and red circles are commonly used on Github to display the status of automatic builds. Gitgub threat actors added four green Unicode circles to their README.md that pretend to display a status alongside a current date and provide a sense of legitimacy and recency." The list of repositories is as follows, with each of them pointing to a download link ("digitalxnetwork[.]com") containing a RAR archive file - andreastanaj/AVAST andreastanaj...

Governments in Turkey and Syria have been caught hijacking local internet users' connections to secretly inject surveillance malware, while the same mass interception technology has been found secretly injecting browser-based cryptocurrency mining scripts into users' web traffic in Egypt. Governments, or agencies linked to it, and ISPs in the three countries are using Deep Packet Inspection technology from Sandvine (which merged with Procera Networks last year), to intercept and alter Internet users' web traffic. Deep packet inspection technology allows ISPs to prioritize, degrade, block, inject, and log various types of Internet traffic, in other words, they can analyze each packet in order to see what you are doing online. According to a new report by Citizen Lab, Turkey's Telecom network was using Sandvine PacketLogic devices to redirect hundreds of targeted users (journalists, lawyers, and human rights defenders) to malicious versions of legitimate progra...

A newly patched security flaw in Microsoft Windows was exploited as a zero-day by Lazarus Group , a prolific state-sponsored actor affiliated with North Korea. The security vulnerability, tracked as CVE-2024-38193 (CVSS score: 7.8), has been described as a privilege escalation bug in the Windows Ancillary Function Driver (AFD.sys) for WinSock. "An attacker who successfully exploited this vulnerability could gain SYSTEM privileges," Microsoft said in an advisory for the flaw last week. It was addressed by the tech giant as part of its monthly Patch Tuesday update. Credited with discovering and reporting the flaw are Gen Digital researchers Luigino Camastra and Milánek. Gen Digital owns a number of security and utility software brands like Norton, Avast, Avira, AVG, ReputationDefender, and CCleaner. "This flaw allowed them to gain unauthorized access to sensitive system areas," the company disclosed last week, adding it discovered the exploitation in early J...