CCleaner incident: what we need to know?
Looking for a good alternative to CCleaner? Take a look to BleachBit!
A good analysis by Cisco Talos
We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems.
Cisco Talos has published a interesting analysis of the malware and the C&C server.
What is Floxif?
Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server.
The malware had the ability to download and run other binaries, collect information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part.
Researchers noted that the malware only ran on 32-bit systems.
The malware also quit execution if the user was not using an administrator account.
The infection period is believed to have been between August 15th 2017 and September 12th 2017.
Downloads during this time would be at risk of possible infection.
During this period, it is thought that 2.27 million downloads have been completed from the site.
In reviewing the Version History page on the CCleaner download site, it appears that the affected version (5.33) was released on August 15, 2017. On September 12, 2017 version 5.34 was released. The version containing the malicious payload (5.33) was being distributed between these dates. This version was signed using a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018.
During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality.
C&C and Payloads
In analyzing the delivery code from the C2 server, what immediately stands out is a list of organizations that were specifically targeted through delivery of a second-stage loader, based on target’s domain:
These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor.
These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.
The report contains the analysis of PHP pages that serves the payloads and retrieves the information from infected clients, and MySQL database, used to store retrieved data:
The C2 MySQL database held two tables: one describing all machines that had reported to the server and one describing all machines that received the second-stage download, both of which had entries were dated between Sept. 12th and Sept. 16th. Over 700,000 machines reported to the C2 server over this time period, and more than 20 machines have received the second-stage payload.
During the compromise, the malware would periodically contact the C2 server and transmit reconnaissance information about infected systems. This information included IP addresses, online time, hostname, domain name, process listings, and more.
Indicators of compromise
How to remove the infection?
The malware was embedded in the CCleaner executable itself.
Updating CCleaner to v5.34 removes the old executable and the malware.
However, as the installed Floxif infection was sending information about your computer and had the ability to download and install other programs, you should change all your passwords and reinstall Windows to be 100% safe.