CCleaner Malware Infects Big Tech Companies With Second Backdoor
The group of unknown hackers who hijacked CCleaner’s download server to distribute a malicious version of the popular system optimization software targeted at least 20 major international technology companies with a second-stage payload.
Earlier this week, when the CCleaner hack was reported, researchers assured users that there’s no second stage malware used in the massive attack and affected users can simply update their version in order to get rid of the malicious software.
However, during the analysis of the hackers’ command-and-control (C2) server to which the malicious CCleaner versions connected, security researchers from Cisco’s Talos Group found evidence of a second payload (GeeSetup_x86.dll, a lightweight backdoor module) that was delivered to a specific list of computers based on local domain names.
MADRID—Because the investigation continues into the backdoor planted inside CCleaner, two members of dad or mum firm Avast’s menace intelligence staff mentioned immediately the desktop and cloud variations of the favored software program contained completely different payloads.
The revelation was made throughout a chat at Virus Bulletin 2017 throughout which Jakub Kroustek and Jiri Bracek shared technical particulars on the assault, primarily in regards to the command and management infrastructure used for communication, in addition to some perception on the targets and hinted that there could also be different phases of this assault which have but to be uncovered.
Kroustek and Bracek mentioned there are possible greater than the three phases of this assault which have been mentioned up to now; every stage so far has been a downloader grabbing the following section of the operation. IP addresses housing these phases are hidden, both encrypted with customized cryptographic algorithms or tucked away on phishing websites or purpose-built Github or WordPress pages which can be scanned by the malware with a purpose to piece collectively clues as to the IP addresses holding the following stage.
Extra proof appears to level towards this being a focused assault with solely 40 installations of the second stage payload reported to Avast out of greater than 2.27 million prospects who acquired a compromised model of the PC upkeep software program.
“This means it was very focused and used solely towards a selected group of customers,” Bracek mentioned.
The researchers shared a listing of domains from the malware suggesting that if a compromised machine from a kind of domains related it will obtain the second stage payload. These domains embody Samsung, Microsoft, Sony, Akamai and others indicating that espionage may very well be the objective of this assault.
In the meantime, it seems that the attackers behind this marketing campaign have been pretty agile in updating their code because the marketing campaign progressed. For instance, CCleaner model 5.33 and CCleaner Cloud 1.7.zero contained completely different payloads.
“There have been slight, however vital modifications,” Kroustek mentioned. “The payload in CCleaner 5.33 comprises a situation that if the consumer just isn’t an admin, the shellcode exits. That was eliminated within the cloud model and CCleaner contacted the IPs for the second stage regardless.”
Kroustek and Bracek mentioned the investigation with legislation enforcement continues, and never all findings may very well be shared. The researchers recapped the assault, which began with a compromise of a construct server owned by Piriform, CCleaner’s authentic developer which was acquired by Avast in July.
In line with a timeline shared by the researchers, Piriform was breached in April with attackers getting access to construct servers contained in the group. A self-signed digital certificates used to signal the primary stage of the assault was created on July four, two weeks earlier than the Avast acquisition. On Aug. 2, the primary construct of CCleaner containing a malicious payload was launched, adopted on Aug. 11 by the primary malicious model of CCleaner Cloud.
For some unknown, or undisclosed purpose, variations of CCleaner with no malicious payload have been constructed beginning Aug. 25, 18 days earlier than Avast was privately notified by Morphisec that CCleaner could also be compromised. On Sept. 15, the primary stage command and management infrastructure was taken down at the side of legislation enforcement, and three days later, the breach was publicly disclosed.
The researchers mentioned the primary stage of the assault was self-signed by the attackers with a Piriform certificates. The payload was present in solely the 32-bit variations of the product and had possible been injected through the construct course of throughout compilation. The attackers meant on making life tough for analysts, together with many anti-debugging options of their code, in addition to customized crypto all through. The payload, in the meantime, was a downloader ordered to seize the second stage of the assault. It additionally despatched some system knowledge from shoppers, essentially the most priceless of which being the pc identify and area on which the PC is operating, together with a listing of operating processes. Contact was made by a hard and fast IP tackle within the code; there was additionally a Area Technology Algorithm current, however that was sinkholed by Cisco’s Talos analysis staff, which additionally found and disclosed the breach simultaneous to Morphisec.
Avast wouldn’t definitively attribute the supply of the compromise, however conceded there are code similarities between the CCleaner assault and code belonging to APT17, often known as Axiom or Deputy Canine. APT 17 is believed to be tied to the Chinese language authorities and has been implicated within the Aurora assaults. Costin Raiu of Kaspersky Lab shared tweets shortly after the CCleaner disclosure indicating that there was shared code between the 2.
— Costin Raiu (@craiu) September 19, 2017
— Costin Raiu (@craiu) September 19, 2017
Kroustek mentioned small buffer was discovered within the CCleaner assault that’s just like one present in an APT17 backdoor.
“There are some vital similarities between the codes,” he mentioned. “I’m not saying it’s the identical code, however I’m saying the 2 binaries are present increasingly comparable code.”
Command and management exercise logs additionally appear to line up with the work day in China (UTC+eight). The primary-stage payload database additionally revealed 1.6 million distinctive MAC addresses and 5.6 million total data. There have been, nevertheless, solely 45 data indicating second-stage assaults, and people have been despatched to 40 distinctive PCs, they mentioned.
Bracek mentioned that this demonstrates the danger of whitelisting signed apps corresponding to CCleaner, particularly if a provide chain assault is concerned.
“A safe construct infrastructure should be a high precedence,” he mentioned.