Incident:
The download servers used to distribute CCleaner (32-bit) were compromised by attackers, CCleaner version 5.33 was bundled with a malware and was being distributed through the Piriform hosting platform. This version was hosted directly on CCleaner’s download servers from September 11, 2017. The incident was disclosed by Cisco Talos team on Sept 13 2017. Piriform is the original developer of CCleaner. The compromised version were signed with a valid certificate issued to Piriform Ltd by Symantec, this leads to a speculation that the either the development or build setup may have been compromised.
The malicious payload contains a Domain Generation Algorithm(DGA), hard coded C&C instructions and commands.
Payload Functionality:
– When a user tries to install the said application, the execution flow is redirected to malicious code within the CCleaner binary.
– This code segment decrypts bits within the binary to reveal a PE loader and a DLL (CBkrdr.dll) with the IMAGE_DOS_HEADER contents set to zero, this is done to evade detection.
– The PE loader the patches the DLL and loads it in to CCleaner’s process space and calls DLLEntryPoint() of the malicious DLL in a thread, cleans up any allocated memory and deletes the DLL and PE loader code within the binary and resumes the CCleaner’s installation routine.
– The DLL executes in the background and creates registry entries under HKLM\SOFTWARE\Piriform\Agomo. It contains 3 keys MUID,TCID and NID. These values affect the payloads behavior.
– It collects information about the target machine and sends it to a C&C server at 216.126.x.x via HTTPS Post. If the server is not reachable by IP then the DGA component generates a domain name and it tries to reach it via the domain name.
– The command server responds with a second stage payload disguised as a base-64 encoded string. The current samples do not show that second payload ever being executed.
Information Collected:
– Name of the machine, user privileges, architecture etc.
– List of installed softwares and Windows updates.
– MAC addresses of Network cards.
– List of running processes.
Updates:
Some light has been shed on how the attackers to organized the data collected from targets. The C2 server targets specific organizations like cisco.com, vmware.com, samsung.sepm, dlink.com to name a few. The data collected is stored in MySQL database which currently has over 860000 entries from government domains, banks etc. The timestamp indicates that over 700,000 targets communicated with the C2 server from Sept. 12th and Sept. 16th.
The C2 server checks the Domain list, IP list and Host list to decide if second stage payload should to be delivered. Cisco Talos has confirmed that 20 targets received the second stage payload.
Updates: Second Stage Payload
– As mention in earlier sections the second stage payload is sent to the target as a base-64 encoded string. The file name is GeeSetup_x86.dll. This payload further drops one of two trojanized binaries based on the architecture of the target, TSMSISrv.dll for x86 and EFACli64.dll for x64.
– GeeSetup_x86.dll also drops an encoded PE file in the registry.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
– The trojanized binary decodes the PE file in the registry and executes it in-memory or fileless execution.
– The trojanized binary also executes a backdoor file which retrieves an IP from github.com or wordpress.com. The IP is hidden using stenography. An additional PE file is downloaded from this IP. Currently its purpose is not clear.
Mitigation:
We request organizations to use CCleaner v5.34 and scan their network with QID 370560 to detect vulnerable machines.
Please continue to follow ThreatProtect for more coverage on this incident.
References:
CCleanup: A Vast Number of Machines at Risk
CCleaner Command and Control Causes Concern
Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
QID 370360 is this correct one?
Correct QID is 370560. I have updated the post to reflect the same.
Correct QID for Piriform CCleaner Remote Code Execution Vulnerability is 370560.
Thank you for catching that, correct QID is 370560