Potentially serious - Update your CC Cleaners! Backdoor infection.

[Rroff]

I cant believe with so many security companies (including under the noses Avast) and infosec experts knocking about with opinions that they cannot dissect the malware and figure out its capabilities/behavior.

Lets not forget that some folk (morphisec?) out there warned these guys about it over a month ago, so thats plenty of time to crack on and test.

A lot of malware these days uses a cocktail of bespoke and off the shelf components and often dynamic in nature sometimes going through a process of metamorphosis once it gets a foothold that can be different in a targetted manner - a proper forensics teardown would need captures at various stages and machines quarantined early on as well as logs of network traffic, etc.

Not sure if its just lack of imagination or what but there seems to be a lot of resistance as well to proper examination of some recent attacks - wannacry for instance there are still massive holes in the details of its operation including early attack vectors and side loaded components that even the respected security researchers gloss over like they aren't even there and are actually one of the more pertinent aspects of that attack - leaves me astounded that there is so little desire to fully understand it especially after people like IBM's security team, Avast, etc. categorically stated that their bulk monitoring shows very minor levels of spread via the attack vectors that everyone assumes were the way it initially operated - plus if you look at the nature of its spreading compared to any older worm like attacks there are some significant differences which should be raising questions but no one seems to be interested.

 

[marc2003]

Hmmn.... I seem to have bypassed all this by using the portable version.

 

[garnett]

Hmmn.... I seem to have bypassed all this by using the portable version.

Classy post.

To those taking about 32 vs 64bit, I understood that was just the installer, not the program itself.

It seems to me that if your antivirus/malware detector flags a problem with something in the installation folder, there's the chance something else could have been installed.

The reports from Piriform suggest that they believe nothing was ever downloaded from the source linked to in the infected installer. I don't put much faith in that.

 

[jpaul]

lol - read the link I posted earlier

..
Within the 32-bit CCleaner v5.33 binary included with the legitimate CCleaner v5.33 installer, '__scrt_get_dyn_tls_init_callback' was modified to call to the code at CC_InfectionBase(0x0040102C). This was done to redirect code execution flow within the CCleaner binary to the malicious code prior to continuing with the normal CCleaner operations. The code that is called is responsible for decrypting data which contains the two stages of the malicious payload, a PIC (Position Independent Code) PE loader as well as a DLL file that effectively functions as the malware payload. The malware author had tried to reduce the detection of the malicious DLL by ensuring the IMAGE_DOS_HEADER was zeroed out, suggesting this attacker was trying to remain under the radar to normal detection techniques.

The binary then creates an executable heap using HeapCreate(HEAP_CREATE_ENABLE_EXECUTE,0,0). Space is then allocated to this new heap which is where the contents of the decrypted data containing the malware is copied. As the data is copied to the heap, the source data is erased. The PE loader is then called and begins its operation. Once the infection process has been initiated, the binary erases the memory regions that previously contained the PE loader and the DLL file, frees the previously allocated memory, destroys the heap and continues on with normal CCleaner operations.
...

leaves me astounded that there is so little desire to fully understand it

agree this seems surprising, but maybe Piriform/Avast are disclosing more details to their paying customers, and equally for the other companies do they just reveal as little analysis info as possible, so that the bad guys are kept guessing.

 

[garnett]

lol - read the link I posted earlier

agree this seems surprising, but maybe Piriform/Avast are disclosing more details to their paying customers, and equally for the other companies do they just reveal as little analysis info as possible, so that the bad guys are kept guessing.

I'll be honest - that means nothing to me! Can you translate?

 

[jpaul]

That was part of the earlier post/link describing detective/reverse engineering analysis of the attack - it is impressive stuff
How they modiifed the cccleaner program/binary (whether it was done by the installer is not very clear, but CCleaner program ends up corrupted), it then starts profiling victims system and sending off details of running processes to the bad guys, who then decide what they want to do with you;
The specific targetting for samsung/sony/cisco domains is interesting, surprising Piriform have such commercial customers, and you wonder how far they could get with industrial espionage, without being detected.
Analysis is unclear on the the authors, but speculate on PRChina.

 

[opethdisciple]

Now that the payloads have been analysed and they know what additional files get corrupted if you are infected
which of the system scanners, can now do that - what would I need to be running. ?

I just checked, for avast that I currently use, and am unable to confirm if they do it (yes - same company now, so maybe should abandon ship)
but even for Malwarebytes, cannot find this kind of information. ?



it would be interesting to create these registry keys and see if your system flags them up.

if you look in the Microsoft database, although they flag CCcleaner
there is nothing about EFACli64.dll

I have this on my system but it is empty and there is nothing in the key:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\

The 001, 002 etc don't exist.

I don't have the following files on my system. As listed here.

• %System%\TSMSISrv.dll
• %System%\spool\prtprocs\w32x86\localspl.dll

 

[jpaul]

I have this on my system but it is empty and there is nothing in the key:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\
The 001, 002 etc don't exist.
I don't have the following files on my system. As listed here.

Thanks, that is interesting, so symantec are checking, it must be related to CCleaner compromise, given the 21sep date,
but interesting that they do not seem to acknowledge link, or did I miss it.

I guess Trojan.Famberp, is the name I should be looking for in Avast, to see if they identify it too.

 

[opethdisciple]

This sounds too sophisticated not to be backed by a nation state if you ask me.

 

[gpuerrilla]

I guess Trojan.Famberp, is the name I should be looking for in Avast, to see if they identify it too.

BleepingComputer lists it as 'Floxif', others it seems 'Nyetya'.

 

[Vimes]

Someone posted a video here that might be of interest....

(music is terrible and adds nothing useful to the video)



A couple of posts to read.....

https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-26#post-2707924

https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-27#post-2708085

the above taken from a thread over at the CCleaners forums....

https://forum.piriform.com/index.php?showtopic=48869

 

[opethdisciple]

Someone posted a video here that might be of interest....

(music is terrible and adds nothing useful to the video)



A couple of posts to read.....

https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-26#post-2707924

https://www.wilderssecurity.com/threads/ccleaner-v5.370654/page-27#post-2708085

the above taken from a thread over at the CCleaners forums....

https://forum.piriform.com/index.php?showtopic=48869

The music is like the author is intentionally trying to troll you.

 

[opethdisciple]

Hang on... does the presence of this reg key mean my system was comprised?

x64
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf

Thats what this seems to suggest.

This seems to suggest not.

So was it just the 32 bit thats was infected or the x64 as well? Still not clear on that point.

---

Malwarebytes says I'm clean.

 

[jpaul]

I think it is only 32 bit installs that can be compromised, but depending on whether the install is on a 32 or 64 bit system, different registry keys will be used (to store the binary code that is the trojan)
so it uses the additional registry key
HKEY_LOCAL_MACHINE\Software\Piriform\Agomo
if it is on a x86 system

confusingly the symantec virus db does not seem to mention this key though

 

[gpuerrilla]

Shouldnt skim read but I thought it was delivered over the installer and it could potentially launch either the 32 or 64bit but they only chose the 32bit (could be my bad reading). The piriform blog just states "CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191" wich does not clarify OS sytem type.

 

[Vimes]

Shouldnt skim read but I thought it was delivered over the installer and it could potentially launch either the 32 or 64bit but they only chose the 32bit (could be my bad reading). The piriform blog just states "CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191" wich does not clarify OS sytem type.

The bottom link in my post above yours.......

Dear CCleaner customers, users and supporters,

We would like to apologise for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. We recently determined that these versions of our software had been compromised. We resolved this quickly and believe no harm was done to any of our home users, but we do have evidence that this has targeted large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US. This compromise only affected customers with the 32-bit version of the v5.33.6162 of CCleaner and the v1.07.3191 of CCleaner Cloud. No other Piriform or CCleaner products were affected.


We encourage all users of the 32-bit version of CCleaner v5.33.6162 to download the latest version of CCleaner: here. We apologize and are taking extra measures to ensure this does not happen again.

.....bold bits are added by me.

Take a read of the thread over at their forums

 

[gpuerrilla]

Vimes, I probably read too much in a short space of time. Somewhere in the Avast blog you linked it mentioned:

"Structurally, the DLLs are quite interesting because they piggyback on other vendors’ code by injecting the malicious functionality into legitimate DLLs. The 32-bit code is activated through a patched version of VirtCDRDrv32.dll (part of Corel’s WinZip package), while the 64-bit uses EFACli64.dll – part of a Symantec product."

 

[Vimes]

^^^^ I started to read and found that the more I read the less clear I became. I do know that Windows Defender picked up a back door threat in the CCleaner 5.33 I had downloaded, even though I use the 64 bit version. I assumed that was because there is one file to download for both the 32 and 64bit version or since the discover that version is now tagged as being potentially or actually an issue..?

Reading more over at Reddit has just muddied further my understanding.

I have just relied, wisely or not, of the first post in that thread and then removed altogether CCleaner. I wasn't using it much anyway. For me Windows Defender/ Malwarebytes and Windows Firewall Control have been fine.

I am not prepared to do a format C and I do not have an image prior to installing that particular version of CCleaner, I know that you have not suggested that but it seems many have done so.

 

[opethdisciple]

^^^^ I started to read and found that the more I read the less clear I became. I do know that Windows Defender picked up a back door threat in the CCleaner 5.33 I had downloaded, even though I use the 64 bit version. I assumed that was because there is one file to download for both the 32 and 64bit version or since the discover that version is now tagged as being potentially or actually an issue..?

Reading more over at Reddit has just muddied further my understanding.

I have just relied, wisely or not, of the first post in that thread and then removed altogether CCleaner. I wasn't using it much anyway. For me Windows Defender/ Malwarebytes and Windows Firewall Control have been fine.

I am not prepared to do a format C and I do not have an image prior to installing that particular version of CCleaner, I know that you have not suggested that but it seems many have done so.

If any of your scans ever showed up an infection especially one related to this, even if you've upgraded the program best to do a reformat.

I've run Windows Defender and Malaware bytes and both are clean. If either of them showed anything 100% reformat time.

 

[Vimes]

If any of your scans ever showed up an infection especially one related to this, even if you've upgraded the program best to do a reformat.

I've run Windows Defender and Malaware bytes and both are clean. If either of them showed anything 100% reformat time.

Good job that it didn't do that for me then.

It only showed the downloaded file as having that issue, and that was retrospectively, after the definitions to Defender got updated.

I believe that the definitions are updated to reflect that particular version of CCleaner rather than a specific issue necessarily with what I had.

The system was always showing as clean as it is now. That hadn't changed.
It scanned as clean with CCleaner installed and continues to do so with it removed.

Good advice tho as I was prepared to format if anything had shown as an issue. That in itself is not a big deal. Custmising the applications after can be.