Piriform’s CCleaner modified to deliver malicious backdoor
On September 18, 2017, CCleaner’s developer, Piriform, announced that recent versions of the CCleaner and CCleaner Cloud software had been compromised via a supply chain attack. The compromised versions were available for download from August 15th until September 12th. The compromised versions included a malicious backdoor which stealthily communicated with a command and control server and could allow malicious actors to take remote control of systems with affected versions of CCleaner installed.
The following 32-bit versions of CCleaner were compromised and included the malicious backdoor:
- CCleaner v5.33.6162 (32 bit)
- CCleaner Cloud v1.07.3191 (32 bit)
Avast, Piriform’s parent company has determined that the malicious versions of the software were downloaded by approximately 2.27 million people. The malicious code included with these versions of CCleaner automatically transmitted the machines host name, IP address, active directory domain, a list of installed software, network adapters, and other information to a command and control (C&C) server in the United States. If the infected computer’s active directory domain matched a list of domains being actively targeted by the attackers, the software then downloaded a second stage payload, a trojan, from the server. This trojan provided attackers remote administrative access to the compromised systems.
The command and control server was taken down by US Law enforcement on the 15th of September. However, based on the attacker’s level of sophistication and the length of time the compromised software was available for download, all clients are advised to quickly identify hosts that had downloaded the affected versions of CCleaner and re-image the machines.
A modification of the 32-bit CCleaner binary resulted in a two-stage backdoor allowing attackers remote control of affected computers in organizations that were specifically targeted. The malicious code was in the common runtime (CRT) initialization code inserted during compilation. The modified version of the CCleaner decrypted and unpacked shellcode, which resulted in a modified DLL executing on the system. This malicious code then stored several unique identifiers from the backdoored machines in the following registry location:
The malicious software automatically collected the following information about compromised machines: host name, IP address, active directory domain, a list of installed software, network adapters, and if the currently connected user was a local administrator. The information was then then encrypted and sent to a hardcoded command & control (C&C) server with an external IP address of 216[.]126[.]]225[.]148.
If the machine’s active directory domain matched a pre-defined list of targeted domains, the software was instructed to download the second stage payload, a trojanized binary. The second stage payload downloaded depends on the machine’s processor architecture:
- 32-bit systems – TSMSISrv.dll
- 64-bit systems – EFACLi64.dll
Evidence of the 2nd stage payload (GeeSetup_x86.dll trojan) can be identified by the existence of the following Registry Keys:
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP
The following DLLs would also be present on the systems:
- GeeSetup_x86.dll Hash: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
- EFACli64.dll Hash: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f
- TSMSISrv.dll Hash: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902
- DLL in Registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a
- Stage2 Payload: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
Hashes for the compromised versions of the CCleaner executables are as follows:
CCleaner version 5.33.6162 was released on 15 August 2017 and was automatically updated to a non-trojanized version on 12 September 2017. CCleaner cloud version 1.07.3191 was released on the 24 August 2017 and was also updated on 12 September 2017.
Mitigation and Response
Kudelski Security recommends that clients immediately scan workstations for evidence of affected CCleaner versions (CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) and the presence of the following registry key:
As of September 21st, all major Antivirus vendors can detect the presence of the compromise versions of CCleaner as well as the second stage trojan currently being utilized.
Kudelski Security’s Cyber Fusion Center has performed Threat Hunting to identify the presence of affected CCleaner versions and the potential presence of the second stage backdoor. The CFC team has reached out to Threat Monitoring clients we believe may be affected.
Due the sophisticated nature of the attackers who perpetrated these attacks; Kudelski Security recommends the following actions If you confirm the presence of affected version of CCleaner.
- Disconnecting the host from the network
- Extract and save forensics data and initiate an investigation to understand the severity and extent of the breach.
- Collect activity logs of the compromised host and users.
- Re-image the machine to a known good corporate image
Removal of the affected CCleaner versions is not sufficient as the backdoor may still be present.
Piriform Release Announcements:
Piriform Blog Security notification for CCleanerv5.33.6162 and CCleaner Cloud v1.07.3192 for 32-bit Windows users:
Cisco Talos Original Advisory:
Cisco Talos updated advisory with information on C&C and adversary’s sophistication:
Ghacks Malware second payload discovered: