Close

Results 1 to 6 of 6
  1. #1
    DF VIP Member JonEp's Avatar
    Join Date
    Oct 2007
    Location
    uk
    Posts
    2,250
    Thanks
    1,112
    Thanked:        875
    Karma Level
    395

    Attention CCleaner Compromised to Distribute Malware for Almost a Month

    Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos a few minutes ago.
    Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts.
    The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems. The malware also quit execut1on if the user was not using an administrator account.
    Threat actor compromised CCleaner infrastructure

    Cisco Talos security researchers detected the tainted CCleaner app last week while performing beta testing of a new exploit detection technology.
    Researchers identified a version of CCleaner 5.33 making calls to suspicious domains. While initially, this looked like another case where a user downloaded a fake, malicious CCleaner app, they later discovered that the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate.
    Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan.
    It is unclear if this threat actor breached Avast's systems without the company's knowledge, or the malicious code was added by "an insider with access to either the development or build environments within the organization."
    Clean CCleaner versions released

    Avast bought Piriform — CCleaner's original developer — in July this year, a month before CCleaner 5.33 was released.
    Piriform acknowledged the incident in a blog post today. The company said they found the malware in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191.
    On September 13, Piriform released CCleaner 5.34 and CCleaner Cloud version 1.07.3191 that do not contain the malicious code.
    DNS data suggests thousands of users got infected

    The Floxif trojan used randomly generated domains names each month to determine the IP address of its command and control (C&C) server, the location to where it would upload data collected from each host.
    DNS requests for the domain names used in August and September show that hundreds, if not thousands of users were infected.

    https://www.bleepingcomputer.com/new...lmost-a-month/


    Monday, September 18, 2017Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users

    PAUL YUNG
    VP, Products


    Dear CCleaner customers, users and supporters,
    We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.
    Technical description
    An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.
    The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler. This code modification was executed by the following function calls (functions marked by red represent the CRT modifications):

    This modification performed the following actions before the main application’s code:

    • It decrypted and unpacked hardcoded shellcode (10 kB large) - simple XOR-based cipher was used for this.
    • The result (16 kB in size) was a DLL (dynamic link library) with a missing MZ header.
    • This DLL was subsequently loaded and executed in an independent thread.
    • Afterwards, a normal execut1on of CRT code and main CCleaner continued, resulting in the thread with payload running in the background.

    Illustration of patched CRT code (see the added call to a payload-decryption routine in the modified version):

    The code executed within that thread was heavily obfuscated to make its analysis harder (encrypted strings, indirect API calls, etc.). The suspicious code was performing the following actions:

    • It stored certain information in the Windows registry key HKLM\SOFTWARE\Piriform\Agomo:
      • MUID: randomly generated number identifying a particular system. Possibly also to be used as communication encryption key.
      • TCID: timer value used for checking whether to perform certain actions (communication, etc.)
      • NID: IP address of secondary CnC server

    • Besides that, it collected the following information about the local system:
      • Name of the computer
      • List of installed software, including Windows updates
      • List of running processes
      • MAC addresses of first three network adapters
      • Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.

    • All of the collected information was encrypted and encoded by base64 with a custom alphabet.
    • The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request. There was also a [fake] reference to “Host: speccy.piriform.com” in communication.
    • The code then read a reply from the same IP address, providing it with the functionality to download a second stage payload from the aforementioned IP address. The second stage payload is received as a custom base64-encoded string, further encrypted by the same xor-based encryption algorithm as all the strings in the first stage code. We have not detected an execut1on of the second stage payload and believe that its activation is highly unlikely.
    • In case the IP address becomes unreachable, a backup in the form of DGA (domain name generator) activates and is used to redirect communication to a different location. Fortunately, these generated domains are not under the control of the attacker and do not pose any risk.

    At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing. We want to thank the Avast Threat Labs for their help and assistance with this analysis.
    Again, we would like to apologize for any inconvenience this incident could have caused to our clients; we are taking detailed steps internally so that this does not happen again, and to ensure your security while using any of our Piriform products. Users of our cloud version have received an automated update. For all other users, if you have not already done so, we encourage you to update your CCleaner software to version 5.34 or higher, the latest version is available for download here.
    Thank you,
    Paul Yung
    VP Products


    http://www.piriform.com/news/blog/20...-windows-users

    4 Thanks given to JonEp

    akimba (18th September 2017),  Bald Bouncer (18th September 2017),  evilsatan (18th September 2017),  Over Carl (20th September 2017)  


  2. #2
    DF VIP Member JonEp's Avatar
    Join Date
    Oct 2007
    Location
    uk
    Posts
    2,250
    Thanks
    1,112
    Thanked:        875
    Karma Level
    395

    Default Re: CCleaner Compromised to Distribute Malware for Almost a Month

    Going to be a long day for IT departments.

    Not many AV picking this up yet..

    https://www.virustotal.com/#/file/6f...f0a9/detection


    5 / 64


    5 engines detected this file





    SHA-256 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
    File name ccleaner
    File size 7.32 MB
    Last analysis 2017-09-18 10:46:45 UTC
    Community score -190


    Just ran full scan of Kaspersky and came back clean only Immunet on my servers caught it.
    Last edited by JonEp; 18th September 2017 at 11:57 AM. Reason: Update

    Thanks to JonEp

    Bald Bouncer (18th September 2017)  


  3. #3
    DF VIP Member CominAtcha's Avatar
    Join Date
    Jan 2003
    Location
    Nowhere
    Posts
    3,219
    Thanks
    80
    Thanked:        146
    Karma Level
    472

    Default Re: CCleaner Compromised to Distribute Malware for Almost a Month

    So this affected 32 bit systems only?

    Thanks to CominAtcha

    JonEp (18th September 2017)  


  4. #4
    DF VIP Member JonEp's Avatar
    Join Date
    Oct 2007
    Location
    uk
    Posts
    2,250
    Thanks
    1,112
    Thanked:        875
    Karma Level
    395

    Default Re: CCleaner Compromised to Distribute Malware for Almost a Month

    Quote Originally Posted by CominAtcha View Post
    So this affected 32 bit systems only?
    Excellent point the 64 bit executable comes back negative, its only the the 32 bit that is also packaged that shows to be infected!

    https://www.virustotal.com/#/file/70...088b/detection

    2 Thanks given to JonEp

    CominAtcha (18th September 2017),  EvilBoB (18th September 2017)  


  5. #5
    DF Moderator EvilBoB's Avatar
    Join Date
    Jan 2001
    Location
    Bedfordshire
    Posts
    6,353
    Thanks
    583
    Thanked:        620
    Karma Level
    606

    Default Re: CCleaner Compromised to Distribute Malware for Almost a Month

    Got a number of customers that use ccleaner *sigh* looks like I've got some work to do.
    DF Moderator
    XBox One | Panasonic 4k | MS Surface Pro 3 | 3DSXL | WiiU | RPi3
    XBL : TheSumOfAllEvil

  6. #6
    DF VIP Member JonEp's Avatar
    Join Date
    Oct 2007
    Location
    uk
    Posts
    2,250
    Thanks
    1,112
    Thanked:        875
    Karma Level
    395

    Default Re: CCleaner Compromised to Distribute Malware for Almost a Month

    I can't beleve it 3PM and Kaspersky, Microsoft and Symantec are still not detecting this file in their AV packages. I am so impresessed with Immunet which runs on servers aswell and its free.

Similar Threads

  1. Replies: 1
    Last Post: 27th July 2013, 10:55 PM
  2. [NEW] 7 Ways To Use CCleaner Like A Pro
    By evilsatan in forum PC Software
    Replies: 2
    Last Post: 17th August 2012, 03:43 PM
  3. [NEW] DHL emails compromised
    By cyprus in forum PC Problems
    Replies: 4
    Last Post: 6th September 2011, 10:14 AM
  4. ATARI TO PUBLISH AND DISTRIBUTE GHOSTBUSTERS: THE VIDEO GAME
    By Armoured Hawk in forum Microsoft Consoles
    Replies: 6
    Last Post: 9th November 2008, 10:07 PM
  5. Warner Bros. to distribute by BitTorrent
    By lloydi in forum Internet Connections & VPNs
    Replies: 1
    Last Post: 13th May 2006, 08:00 PM

Social Networking Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •