![]() ![]() Talos Group"identified a specific executable" during tests of the company's new exploit detection tool which came from the CCleaner 5.33 installer which in turn was delivered by legitimate CCleaner download servers. Talos Group informed Avast, the parent company of Piriform, about the situation. Security researchers of Cisco's Talos Group revealed details about the successful supply chain attack. CCleaner Cloud was released on August 24th, 2017, and a non-compromised version of the program on September 15th, 2017.CCleaner was released on August 15th, 2017, and an updated non-compromised version was released on September 12, 2017.The latest release version of CCleaner is version 5.34 at the time of writing. The company asks users to update their version of the program to the latest available release if that has not been done already. According to Piriform, only the 32-bit versions of the applications were compromised and distributed using the company's own infrastructure. The affected versions are CCleaner and CCleaner Cloud. However, RogueKiller (version 12.11.16 and above) finds the infected CCleaner binaries, as well as the registry keys used by the malware and remove them.The hackers compromised two versions of the CCleaner in the attack which have been used by up to 3% of the company's user base. RemovalĪvast claims updating CCleaner to version 5.34 addresses the issue and removes the malware. Update: The C&C server has been takedown and DGA domains taken, so in theory the malware cannot do anything now. It could ask to deliver a Ransomware for example. But this may change very quickly if the malware owner decides to send different orders from the command and control (C&C) server. The malware code appears to be using extensively the following registry key to store data: HKLM\SOFTWARE\Piriform\AgomoĪlso, for now, the malware doesn’t seem to be very aggressive and only logs inoffensive data from the machine (machine name, IP address, etc…). The payload is a DLL stored encrypted (XOR) without the PE header (to avoid AV detections), and once loaded it fires a new thread that will run the malware code. In this routine, the malware is executing what appears to be a PE loader, using Heap creation and execution. That way, the malware is able to execute its own code before to launch the legitimate program. That means the TLS callback is first called, before the actual binary entrypoint. The official CCleaner binary was patched using the TLS callback method. They either altered the source code (unlikely) or added a patch routine (most likely) on the end binary, just before the digital signature processing. It is very possible (not confirmed) that this machine was compromised and that hackers gained access to it. That machine is also responsible for signing the end package to make sure no altered version can be spread under the company’s name ( see our blog post about code signing). Usually, this requires a dedicated machine where the source code is compiled into the new binary/installer. HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP What happened?Įvery big software company uses “continuous integration and deployment”, a methodology that allows easier, faster and safer software update (with testing). HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 ![]() HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002 Also, another registry key was found storing a malware (later executed by the infection): HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 ![]() As of now, we don’t know what this second stage infection is doing. They also found that machines from these organizations (20 machines) got a second stage payload. After analysing the server code, they discovered interesting domains list of the possible targets, including Cisco, Samsung and other big corporations. Talos discovered that the supposedly sleeping or idle infection was actually just filtering for specific targets on C&C (command and control) server. Older and newer versions are not affected, and Avast (CCleaner owner) claims simply updating to 5.34 removes the malware. Version 5.33 of the popular machine cleaner CCleaner has been compromised to deliver the Floxif malware as injected DLL. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |