The CCleaner utility was infected with malware for a period of time, allowing hackers to distribute malware to millions of users. The legitimate version of CCleaner 5.33 contained malware that was installed along with the program. The hackers were able to do this by compromising part of the development or build environment and inserting malware into the CCleaner version that was publicly released. This attack exploited the trust relationship between software developers and users to widely distribute malware through a popular cleaning utility.
2. CCleaner
What is this?
2
Developed by Piriform, CCleaner, aka
Crap Cleaner, is a utility program to
clean potentially unwanted files. The
application is popularly known for
cleaning the temporary internet files
generated by browsers such as
Internet Explorer, Microsoft Edge,
Chrome. It also claim to cleans
malicious programs.
For a period of time, the legitimate
signed version of CCleaner 5.33 being
distributed by Avast also contained a
multi-stage malware payload that
rode on top of the installation of
CCleaner.
3. In a few words…
◎ Infected CCleaner 5.33 installer
◎ Certification Company SIGNED infected version
◎ Malware was simply installed with the program
3
Certificate
Version was signed using a
valid certificate that was
issued to Piriform Ltd by
Symantec and is valid
through 10/10/2018
Process Compromised
External (Internal?) attacker
compromised a portion of their
development or build environment
and leveraged that access to insert
malware into the CCleaner build that
was released and hosted by the
organization
Certificate for Malware?
5. The Malware structure
5
Malware Installation and
Operation
•Binary calls the code
CC_InfectionBase
• Binary creates an
executable heap using
HeapCreate
•PE loader is then called
and begins its operation:
•Erases the memory
regions that previously
contained the PE loader
and the DLL file
•Frees the previously
allocated memory
•Destroys the heap
•Continues on with normal
CCleaner operations.
CBkrdr.dll
•DLL file (CBkdr.dll) was
modified in an attempt to
evade detection and had
the IMAGE_DOS
_HEADER zeroed out
•Calls
CCBkdr_GetShellcode
FromC2AndCall. Sets up
a ROP chain used to
deallocate the memory
and exit the thread.
Command and Control
•Sends information to C&C
servers
•Payload structure:
•HTTPS POST request to
216[.]126[.]225[.]148
•Transmit command to
infected PC
Malware bug?
Talos identified a software bug present in the malicious code related to the C&C
function. The sample analyzed reads a DGA computed IP address located in the
following registry location, but currently does nothing with it:
HKLMSOFTWAREPiriformAgomo:NID
It is unknown what the purpose of this IP address is at this time, as the malware does
not appear to make use of it during subsequent operation
6. Malware
Operation
Flow
6
In this flowchart is explained
the working flow of the
malware. It is also important
to points out that the C2 (the
C&C operation) generates
random DNS name to avoid
DNS block
7. ALMOST ONE MONTH INFECTION
Piriform has officially confirmed the
security incident with CCleaner
5.33.6162 and CCleaner Cloud
1.07.3191. It started on August 15
and has been stopped on
September 12. The company also
updated the app to fix the flaw and
the defected version has been
pulled from the server.
The Attack Resoults
WHAT HAVE BEEN EXPLOITED?
Sensitive information such as MAC
addresses of adapters and network,
the software of Windows, installer
software information were leaked
and sent to the attackers. The
affected PCs could have been
remotely controlled by the hacker
and they could have also installed
additional binaries. The company is
also suggesting the affected users to
update the app to the latest version
to avoid any risk.
7
8. The impact WORLDWIDE
8
The impact of this attack could be severe given the extremely high number of systems possibly
affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is
reportedly adding new users at a rate of 5 million a week.
If even a small fraction of those systems were compromised an attacker could use them for any
number of malicious purposes.
10. “
Supply chain attacks are a very
effective way to distribute
malicious software. This is because
of the trust relationship between a
manufacturer or supplier and a
customer. - Thalos
10
11. A philosophical problem, more than just an attack
TRUST EXPLOIT
This is a prime example of the
extent that attackers are willing
to go through in their attempt to
distribute malware to
organizations and individuals
around the world. By exploiting
the trust relationship between
software vendors and the users
of their software, attackers can
benefit from users' inherent trust
in the files and web servers used
to distribute updates.
PATCHING
Usually, in the mind of security
aware people patching is one of
the main response to attacks and
vulnerabilities but these
software supply-chain attacks
break all the models. They pass
antivirus and basic security
checks and, in those cases,
patching is the attack vector.
11
12. Thanks!
If you have any questions
please contact me at:
@Leonardo Antichi
antichi.leonardo@gmail.com
12
😉