As investigations continue about the backdoor that was planted in CCleaner, Avast said it has found that the actors behind the attack were planning to install a third round of malware on compromised computers.

CANCUN, Mexico – As investigations continue into a backdoor that was planted in the CCleaner utility in 2017, Avast said it has found that the threat actors behind the attack were planning to install a third round of ShadowPad malware on compromised computers.

Avast, which acquired the maker of CCleaner Piriform in July, said that it has been continually investigating the malware attack on the popular PC cleaning tool CCleaner (formerly Crap Cleaner) since it was first revealed in September 2017. While the company has not found evidence of a third stage binary on infected computers, it has found evidence of “what the intended third stage might have been,” according to Avast speaking at Kaspersky Lab’s Security Analyst Summit last week.

According to Avast, it has found that the malware in question spread to Piriform’s build server sometime between March and July 4, 2017.

Avast in September brought the issue to light, saying that the 32-bit versions of CCleaner V5.33.6162 and CCleaner Cloud V1.07.3191 – which had been installed on up to 2.27 million computers – had been infected by malware collecting data such as computer names and lists of installed software and running processes. In addition to data collection, Avast said that the malware also had downloader capabilities which were active on 40 PCs.

In September, Avast and Kaspersky Lab’s Costin Raiu said that they believed Chinese cyber espionage group Axiom was behind the attack.

The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT 'umbrella'. — Costin Raiu (@craiu) September 19, 2017

“Up until now, we have not found any third stage binary on the affected computers,” the company said. “However, we now have found evidence that leads us to the assumption of what the intended third stage might have been.”

While eliminating the threat from the Piriform network, Avast started consolidating and inspecting the Piriform infrastructure and computers, and found the preliminary versions of the stage one and stage two binary on them. Then, on four computers on the Piriform network, the company found evidence of a specialized multi-purpose and modular malware framework called ShadowPad being installed.

“It turned out we found an older version of stage two inside the network itself trying to download a tool called ShadowPad,” Martin Hron, security researcher at Avast, told Threatpost during SAS.

ShadowPad is a cyber attack platform that criminals deploy in networks to gain remote control capabilities, keylogging functionality and data exfiltration.

Hron said that the tool was installed on the four Piriform computers on April 13th, 2017 after Avast found log files of ShadowPad which were encrypted keystrokes from a keylogger installed on the computers.

“The version of the ShadowPad tool is custom-built, leading us to the assumption that it was explicitly built for Piriform,” said the company. “By installing a tool like ShadowPad, the cybercriminals were able to fully control the system remotely and collect all the credentials and insights into the operations on the targeted computer. Besides the keylogger tool, other tools were installed on the four computers, including a password stealer, and tools providing capacities to install further software and plugins on the targeted computer remotely.”

ShadowPad was first discovered in August after researchers at Kaspersky Lab found a backdoor in NetSarang’s server management software package. The researchers said that the modular platform could download and execute arbitrary code, create processes, and maintain a virtual file system in the registry, all of which are encrypted and stored in locations unique to each victim.

“We don’t have a sample of the third stage payload distributed via the CCleaner hack to any of these computers, and it is not clear if it was the attacker’s intention to attack all 40 of them just a few or none. We continue investigating the data dumps from the computers, and will post an update as soon as we learn more,” the company said.