CCleaner v5.33 & CCleaner Cloud v1.07 malware infection

Impacted Software: CCleaner v5.33 (32-bit) en CCleaner Cloud v1.07 (32-bit)

Sources

- Official AVAST communication: https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident and https://blog.avast.com/progress-on-ccleaner-investigation
- Technical Overview: http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

Risks

Infected systems are vulnerable to theft of (sensitive) information, takeover of installed software and the risk of being added to a botnet.

Summary

On Monday September 18th 2017, Piriform warns that the 32-bit version v5.33 of their ‘CCleaner’ software and the 32-bit version v1.07 of the ‘CCleaner Cloud’ software had been infected with malware. These specific versions were available on their website between August 15th and September 12th.

User that have installed these specific software versions during the afore mentioned timeframe, are in risk of being infected. It has become clear that the infection was part of a larger watering hole attack where targeted machines downloaded additional payloads.

Following preliminary analysis, it appears that 64-bit users who installed the 32-bit software were not infected by the malware. We would however recommend to scan the system for infections.

Remediations

Users of infected systems are advised to restore their system to a point in time before August 15th – if unable to do so, they are advised to reinstall their system. After that, they are advised to update the software to the most recent version.

Indicators of compromise (IOCs)

Credit: https://talosintelligence.com

File Hashes:
6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9

DGA Domains:
ab6d54340c1a[.]com
aba9a949bc1d[.]com
ab2da3d400c20[.]com
ab3520430c23[.]com
ab1c403220c27[.]com
ab1abad1d0c2a[.]com
ab8cee60c2d[.]com
ab1145b758c30[.]com
ab890e964c34[.]com
ab3d685a0c37[.]com
ab70a139cc3a[.]com

IP Addresses:
216[.]126[.]225[.]148

IT-Security firm NVISO (https://www.nviso.be/) has created YARA-rules which will aid in the detection of infections:


import "hash"
rule ccleaner_compromised_installer {
	condition:
		filesize == 9791816 and hash.sha256(0, filesize) == "1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff"
}
rule ccleaner_compromised_application {
	condition:
		filesize == 7781592 and hash.sha256(0, filesize) == "36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9" or
		filesize == 7680216 and hash.sha256(0, filesize) == "6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9"
}
rule ccleaner_compromised_pdb {
	strings:
		$a = "s:\\workspace\\ccleaner\\branches\\v5.33\\bin\\CCleaner\\Release\\CCleaner.pdb" 
		$b = "s:\\workspace\\ccleaner\\branches\\v5.33\\bin\\CCleaner\\ReleaseTV\\CCleaner.pdb" 
	condition:
		uint16(0) == 0x5A4D and uint32(uint32(0x3C)) == 0x00004550 and ($a or $b)
}