N-Dimension Solutions Flash Alert: CCleaner Distributing Malware With Version 5.33.616

By Mihir Kapadia, VP of Engineering, N-Dimension Solutions

At Risk Public Power Communities: All
Risk Level: Medium
Summary: Immediate notification expanded to all utilities!

CCleaner is a popular “PC Cleaning and Optimization” tool developed by Piriform. Avast acquired Piriform on July 18th, 2017.

Confirmed on September 19, 2017, malware was distributed alongside the Windows versions of CCleaner v5.33.6162 and CCleaner Cloud v1.07.31.91. If any customers are utilizing the affected version it is recommended that they update to the newest version available on Piriform’s website. Customers who have purchased CCleaner Pro or CCleaner Cloud have had their products auto-updated. Avast concludes that a malicious second stage payload was never deployed onto the infected hosts and the any potential threat has been mitigated.

>>> Prevent Exposure To Your Network! <<<

If you do not know if your utility has been affected or you are interested in preventing future risks due to attack:

Contact Scott Mossbrooks, U.S. Senior Director of Sales, N-Dimension.

On September 12th, 2017, Morphisec discovered a suspicious communication to an unknown IP address receiving data from software found in CCleaner 5.33.6162. Morphisec notified Avast/Piriform and Cisco about the strange behavior. In parallel Avast/Piriform and Cisco’s Talos Intelligence investigated further and determined that CCleaner 5.33.6162 contained a multi-stage malware payload featuring domain generation algorithm (DGA) and hardcoded command and control functionality. The illegally modified CCleaner was distributed both on the Piriform website and via auto-updates (to users with CCleaner Pro and CCleaner Cloud) to existing users between August 15th and September 11th.

Incident Details
Talos identified that legitimate CCleaner download servers were found to be distributing an installer for CCleaner v5.33.6162 that contained malware. The downloaded executable installer was signed with a valid digital signature issued to Piriform by Symantec. Talos theorizes that the malicious executable found signed with the valid digital signature points to a compromise somewhere in the development or signing process. It is likely that an external attacker leveraged access after compromising a part of Piriform’s development or build environment. But it is also possible that an insider with sufficient access could have intentionally included the code.

When the malicious code inserted into CCleaner v5.336162 and CCleaner Cloud v1.07.31.91 successfully executes it will profile the host system, collect the system information, encrypt it, and then encode it using modified base64. Following this the malware will attempt to establish a command and control (C2) channel and transmit the collected information utilizing a HTTPS POST request with a Self-Signed SSL certificate to 216[.]126[.]225[.]148. If no response is received from 216[.]126[.]225[.]148 the malware will fallback and attempt to utilize the DGA for command and control. Once data is received from the command and control server it will then be stored in memory and executed.

Cisco Talos Intelligence has registered all the domains generated by the DGA and have sinkholed them to prevent malicious use.

Recommendations
N-Dimension recommends that customers exert careful consideration over which software products are utilized on computers within their organization. Each software product utilized presents a new potential security risk. Particular caution should be paid to software that utilizes auto-update functionality. If software’s development or update infrastructure is compromised it opens up the possibility for an attacker to quickly distribute a significant amount of malicious code at one time. Luckily in this particular case, according to Avast, the threat could be detected and mitigated before it was able to distribute a malicious second-stage payload to the affected hosts.

A noteworthy aspect of the examined malicious code is that it terminates if the user currently running CCleaner is not an administrator. Users within your organization should not have administrative privileges unless it is required for their job function. Minimizing privileges based on job role will help minimize potential impact in the event of compromise. See – Principle of Least Privilege

Resources:

If you are concerned, your utility may be affected by CCleaner Distributing Malware or you are interested in preventing future risks due to attack, contact N-Dimension:

Contact Scott Mossbrooks, U.S. Senior Director of Sales

N-Sentinel customers who have questions related to this flash alert should contact: monitoring@n-dimension.com or post a Support Request in the N-Sentinel Security Portal (https://portal.n-sentinel.com).

← Go Back