What is it? Supply-Chain Malware
What has been affected? CCleaner v5.33.6162 | CCleaner Cloud v1.07.3191 (32-bit version) | 1
What does it do?
CCleaner is an application that allows users to clean temporary files, analyze systems in an effort to optimize performance, and to perform routine maintenance on a device. Attackers were able to modify the CCleaner.exe binary that users were installing from the company Piriform, which was just acquired by Avast on July 18, 2017, a company that provides Antivirus services.
When the 32-bit CCleaner v5.33.6162 was downloaded it contained a malicious payload, that included a two-stage backdoor. The executable was signed by a valid digital signature issued to Piriform by Symantec and is valid until 2018.
The malware has the ability to and has been seen collecting information from infected users systems such as the name of the computer, IP address, list of installed software, list of running processes, list of network adapters, and MAC addresses of network adapters. The collected data is then sent back to a C2(Command and Control) server, that attackers have control of. The company estimates that the compromised download “may have been used by up to 3% of our users”(Piriform), which would equate to around 3.9 Million users.
How does it do it?
Payload Part One:
The first part of the malware’s payload was hidden in the application’s initialization code called CRT(Common Runtime). The modified code performed actions before the application’s code ran, it decrypted and unpacked hard-coded shellcode(a simple XOR-based cipher was used). The result of this was a DLL(dynamic link library) with a missing MZ header. The DLL was subsequently loaded and executed in an independent thread. After this is through, normal execution of CRT code and the CCleaner is continued, which means the thread with the payload is run in the background.
The code executed within the thread was obfuscated to make its analysis harder. Payload stored information in the Windows registry key
TCID function is a timer value used for checking whether to perform certain actions. It records the current system time on the infected system, it delays for 601 seconds, then continues operations, which according to researchers at Cisco Talos, could be a way to avoid analysis systems. The malware will call a function which attempts to ping 126.96.36.199 using a delay_in_seconds timeout set to 601 seconds, it then checks the system time to see if it has been 600 seconds if the condition is not met the malware will terminate.
The malware will then try to determine what the privileges are of the infected user if the current user running the malicious processes is not an administrator the malware will terminate.
Though if the victim does have administrative privileges the malware will read the value of “InstallID” which is stored in HKLM\SOFTWARE\Piriform\Agomo:MUID. Once the earlier task have been completed the malware will gather information on the system which is eventually sent to a C2 server. The data collected is encrypted and then encoded using modified Base64.
Supply chain style attacks seem to be becoming a trend among attackers. Just last week ten malicious packages we’re found in PyPI(Python Package Index), which is a huge index of repositories for software for the Python programming language. The attackers used a technique called typosquatting, which allowed them to use their own malicious code by using misspelled words that closely relate to legitimate packages (e.g., acqusition instead of acquisition). Another example is the dispersion of the NotPetya ransomware through MeDoc update servers, in June 2017. These type of attacks are extremely dangerous as they take advantage of the trust users have between these systems.
If you are able to spread malware through a dispersion source, like package manager, update server, or through packaged software downloads you wouldn’t have to go out looking for targets, you could filter what you have. The malware seems to be highly sophisticated in its evasion techniques, to avoid detection by analysis/debugging by researchers. This is a strong indication that the attackers behind the malware have an abundance of resources, hinting toward a nation state actor.