[CERT ALERT] – CCleaner: A Vast Number of Machines at Risk

CERT-DVT Alerte CERT

A vulnerability has been identified very recently by Talos Group (Cisco), in Piriform CCleaner tool:
On September 13, 2017, Cisco Talos identified the installer CCleaner v5.33 which was triggering the advanced malware protection systems.

The legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner

CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week

Devoteam CERT recommends:

  • Antivirus Scan
  • Using anti-malware tools like Malwares Bytes or Advanced Malware Protection before executing the CCleaner installer
  • Update CCleaner to version 5.34 or uninstall it pending clarifications

AFFECTED PRODUCT

CCleaner 5.33 (The version containing the malicious payload (5.33) was being distributed between 2017-08-15 and 2017-09-12)

TECHNICAL DETAILS – MALWARE PROCESS FLOW

CCleaner helps user to analyse and clean the system environment. It can also optimize the performance and manage installed applications.

https://2.bp.blogspot.com/-qi4FSpRozUc/Wb8VCqNIdUI/AAAAAAAAAXQ/1TRYybdmkkUbrd428EfrM3d4NSG_DGQ0QCLcBGAs/s640/image7.png

The installer using a valid digital signature issued to Piriform and is hosted on CCleaner’s download server. The 32-bit version included a malicious payload which can be divided in two parts:

  • Command & Control (C2) functionality
  • A Domain Generation Algorithm (DGA)

Domain generation algorithms (DGA) are algorithms seen in various families of malware that are used to periodically generate a large number of domain names that can be used as rendezvous points with their command and control servers.

When CCleaner is executed, the PIC PE loader locates and executes DLL CBkrdr.dll in order to evade detection and had the IMAGE_DOS_HEADER zeroed out.

https://4.bp.blogspot.com/-X9-_9SiuBP0/Wb8WQexo8ZI/AAAAAAAAAXo/SBbA7V2Z9isGCELtbm_tPtpDB51CES-9wCLcBGAs/s640/image3.png

The malware will delay for 601 seconds then checks if the user has the admin rights then the C2 can be deployed and stored in memory.

If the C2 server does not return a response to the HTTP POST request it will use the DGA Algorithm to perform DNS request in order to define a new C2 IP address.

https://4.bp.blogspot.com/-GOYL8CfAQLo/Wb8WmLtqcEI/AAAAAAAAAXs/Zacg_DmAPh8FL-bHuMTMr1iFDySTicqxwCLcBGAs/s1600/image1.png

The deployment of CCleaner is quite enormous and probably led to a massive C2 deployment.

Source: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html