The backdoor which was delivered to 2.27 million CCleaner customers worldwide was designed to collect information from CCleaner users and download a second and third stage malware to around 40 targets, making it a highly targeted attack. The third stage malware is reported to be the infamous ShadowPad backdoor that also hit NetSarang in a Supply Chain Compromise.
The [Initial Access[(https://threatmodel.venafi.com/tactics/VTA0001/) seems to be an infected end point of CCleaner developer. According to Avast investigation, the threat actors accessed Piriform’s network in March 2017 before Avast acquired the company, using login credentials to a TeamViewer account on a developer workstation.(Citation: Avast CCleaner)
|Enterprise||VT0004||.002||Supply Chain Compromise: Compromise Software Supply Chain|
Threat actors That Use This Tools
APT17 is suspected to be the APT group inserted the CCBkdr backdoor to CCleaner and distributed it to over 2 million CCleaner users.
Created: 05 May 2021
Last Modified: 05 May 2021