25 September 2017
Do you use CCleaner for the maintenance of your systems?
CCleaner (formerly Crap Cleaner), developed by Piriform, is an application that allows users to perform routine maintenance on their systems. It includes functionality such as cleaning of temporary files, analyzing the system to determine ways in which performance can be optimized and provides a more streamlined way to manage installed applications.
On September 13, 2017 while conducting customer beta testing of our new exploit detection technology, Cisco Talos identified a specific executable which was triggering our advanced malware protection systems. Upon closer inspection, the executable in question was the installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers. Supply chain attacks exploit an existing trust relationship between organizations and their vendors. Researchers discovered a supply chain attack using a system maintenance software package provided by Piriform, acquired by Avast in July 2017, CCleaner.
CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Microsoft Windows was infected with a multi-stage malware payload on or about Aug 15, 2017. The infected software was being hosted on the CCleaner download site. Piriform states the compromised software could have had a possible impact on 3% of their user base. However, since CCleaner claims to have millions of downloads per week, that is potentially a severe issue.
The malware was signed with a current security certificate, issued to Piriform Ltd, many anti-virus software packages did not detect the malicious software. Indications are that the development environment is compromised, explaining the access to the security certificate and ability to host the software on Piriform’s download server. Malicious versions of CCleaner have been removed from the download server as of Sep 12, 2017 and the compromised security certificate is no longer being used.
Malicious code injected into the CCleaner binary redirects from normal CCleaner execution to run the malicious code and then returns to normal CCleaner operation. A DLL file contains the malicious payload. The DLL file (CBkdr.dll) was modified in an attempt to evade detection and had the IMAGE_DOS_HEADER zeroed out. The DLLEntryPoint creates an execution thread so that control can be returned to the loader. This thread is responsible for calling CCBkdr_GetShellcodeFromC2AndCall. It also sets up a Return Oriented Programming (ROP) chain that is used to deallocate the memory associated with the DLL and exit the thread.
When run, the malware allocates memory heap space, decrypts the downloader, erases the source data, and executes the downloader in memory. It begins by trying to ping the multicast address 18.104.22.168. Delays of 601 seconds are programmed into the malware to try and complicate analysis of the binary. Current time is stored in a registry key, HKLM\SOFTWARE\Piriform\Agomo:TCID, that is used for comparisons.
For the malware to operate, the current user needs to have Administrative rights. SeDebugPrivilege is enabled for the binary if the user has the required permissions or the downloader terminates. If it continues to run, the infected system is profiled and the data stored for transmission to the C2 server.
C2 capabilities of this malware appear to be implemented in a unique way. While the C2 IP is stored in the Windows registry at HKLM\SOFTWARE\Piriform\Agomo:NID, there is no apparent use of this information. Instead, the malware attempts an HTTPS POST operation to a hard coded IP address, using the same HTTPS header used by Piriform’s Speccy product to further hide the malware’s activity. Should the HTTPS POST request fail, the malware defaults to a DGA algorithm to find its C2. The algorithm generates domain names based on the month and year. Lookups on all of the generated C2 domains are attempted with an expectation of receiving two IP addresses from the DGA domain lookups. A secondary C2 IP address is calculated by performing bit-wise operations on the two IP addresses returned. Domains generated by this algorithm were not registered at the time this attack was discovered. Researchers registered and sinkholed all of the DGA domains to prevent the malware from making successful contact via this method.
Malware payload is delivered from the C2 server in a modified Base-64 coding and executed in a similar manner as the downloader, by allocation of memory on the heap and executing the binary payload. Execution is performed through DLL library calls.
- Troj/Mogoa-A (Sophos)
- TR/RedCap.yogmm (Avira)
- W32/CCleaner.A!tr (Fortinet)
- Win32:TlsHack-A [Trj] (AVG)
- BackDoor-FDQI!5AF11CBE6400 (McAfee)
- TROJ_GEN.R038C0DIK17 (Trend Micro)
- Trojan.Sibakdi (Symantec)
- Win32/CCleaner.A (ESET)
- Win.Trojan.Floxif-6336251-0 (Clam AV)
- Trojan.PRForm.A (BitDefender)
- Trojan.PRForm.A (Ad-Aware)
- Trojan.PRForm.A (F-secure)
- Trojan.CCleaner.2 (Dr.Web)Artemis!Trojan (McAfee)
- Update versions of CCleaner and CCleaner Cloud to the latest versions from Piriform.
- Customers are recommended to use a layered approach to securing their environment.
- Ensure all signatures are up to date, including endpoint technologies.
- Ensure all operating systems and public facing machines have the latest security patches, and antivirus software and definitions up to date.
- Ensure systems have a running firewall, unnecessary ports are closed/blocked, and unused services are disabled.
Recommended best practices
- Disable default user accounts.
- Educate users to avoid following links to untrusted sites.
- Always execute browsing software with the least privileges possible.
- Turn on Data Execution Prevention (DEP) for systems that support it.
- Maintain a regular patch and update cycle for OS and installed software.
- For additional details please reference: http://technet.microsoft.com/en-us/library/dd277328.aspx
For more information on the topic and our Cyber Security Solutions & Services, please contact us by mail email@example.com.