This second sample was also signed using a valid digital certificate, however the signing timestamp was approximately 15 minutes after the initial sample was signed.
#Ccleaner piriform 5.33 software
Piriform was the company that Avast recently acquired and was the original company who developed the CCleaner software application.įigure 2: Digital Signature of CCleaner 5.33Ī second sample associated with this threat was discovered. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through. The version containing the malicious payload (5.33) was being distributed between these dates.
#Ccleaner piriform 5.33 download
In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner's download server as recently as September 11, 2017. During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We identified that even though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. Talos began initial analysis to determine what was causing this technology to flag CCleaner.
Upon closer inspection, the executable in question was the installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers. On Septemwhile conducting customer beta testing of our new exploit detection technology, Cisco Talos identified a specific executable which was triggering our advanced malware protection systems. It includes functionality such as cleaning of temporary files, analyzing the system to determine ways in which performance can be optimized and provides a more streamlined way to manage installed applications. The following sections will discuss the specific details regarding this attack.ĬCleaner is an application that allows users to perform routine maintenance on their systems. On SeptemCisco Talos immediately notified Avast of our findings so that they could initiate appropriate response activities. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly. CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. Luckily with tools like AMP the additional visibility can usually help direct attention to the initial vector. Frequently, as with Nyetya, the initial infection vector can remain elusive for quite some time. The Nyetya worm that was released into the wild earlier in 2017 showed just how potent these types of attacks can be. This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. Supply chain attacks are a very effective way to distribute malicious software into target organizations.
#Ccleaner piriform 5.33 update
Update 9/20: Continued research on C2 and payloads can be found here: There was no analysis performed on the selected addresses beyond that they could be combined to create the destination. The resulting two A record IP addresses were then assigned to the DNS configuration. The remaining 16 random bits were combined with the remaining bits of the destination address to create the second A record. 16 bits of that were combined with 16 bits of the destination address to create the first A record. To control the connections Talos has to create two IPs such that they can be fed into the application to resolve to the sinkhole IP.ģ2 bits of random data were generated. The true destination IP is then computed and connected to. 16 bits of the true destination IP are encoded in the first A record, 16 bits are encoded in the second A recordĤ. Generating a Monthly Domain name (all of which are controlled by Talos for 2017)ģ. The fallback command and control scheme in use by the CCBkdr involves:ġ. Update 9/19: There has been some confusion on how the DGA domains resolve.
0 kommentar(er)
