Smart Scan and Conventional Scan

The following hashes related to the trojanized CCleaner are already detected as BKDR_CCHACK.A and BKDR_CCHAK.B using 13.671.00 by TrendMicro Smart and Conventional Patterns.

• SHA1

  7e9cfa3cca5000fe56e4cf5c660f7939487e531a (7,781,592 bytes) as BKDR_CCHACK.A
  d4b3c8ce4b4abdb5b60a6547801a53d32a666867 (7,464,860 bytes) as BKDR_CCHACK.A
  8983a49172af96178458266f93d65fa193eaaef2 (7,680,216 bytes) as BKDR_CCHACK.A
  dd2520a73a30e29df87ed45a45ebfafa037561a3 (7,464,861 bytes) as BKDR_CCHACK.A
  6fd69c63469fcef34306a4b39cb08593a439be4b (7,210,544 bytes) as BKDR_CCHACK.A
  c705c0b0210ebda6a3301c6ca9c6091b2ee11d5b (9,791,816 bytes) as BKDR_CCHACK.A
  d7f20a5c8b0c930e06b104bb23665dfc127c0c76 (6,392,268 bytes) as BKDR_CCHACK.B
  331b93db25a7386461dcadf143329096f0752d62 (6,927,830 bytes) as BKDR_CCHACK.B
  8451d6db681ef41791c3ccaad15873d11f63fd26 (655,360 bytes) as BKDR_CCHACK.B
  a8437422d5edd7c84995f693dd018d4f1c13f0e0 (2,087,565 bytes) as BKDR_CCHACK.B
  ac94ed1e8255533aec65aded8e797e01c8f2cb43 (2,464,000 bytes) as BKDR_CCHACK.B
  8acc62cb5f7565ba1091b4766908bea3a2993d87 (384,719 bytes) as BKDR_CCHACK.B
  aa2c1ce704b223091999e31d5535aad07a41d5f9 (7,781,592 bytes) as BKDR_CCHACK.B
  4c77d80f65b0551d486c6170ead5d4fe067f40d0 (8,637,656 bytes) as BKDR_CCHACK.B
  80746f984b50b9127a15773db42204123c2e0c59 (7,664,856 bytes) as BKDR_CCHACK.B
  b13221160e42fc84ea3dbc226b9f40e8b0128811 (6,310,274 bytes) as BKDR_CCHACK.B
  095078b255843f94437e8fd41426b24618b89d4a (5,226,496 bytes) as BKDR_CCHACK.B
  3514e556808c6b7eb2150c4ede8d6635a0d334cd (3,148,504 bytes) as BKDR_CCHACK.B
  e6af115d7b208e5c810fc25ac2260def7659ff69 (6,250,194 bytes) as BKDR_CCHACK.B
  759049a2f99f564a463b4abc1f8875fe750932e6 (1,092,293 bytes) as BKDR_CCHACK.B
  f351e8acd03a09f579edd4f2532908d94efe134a (2,359,296 bytes) as BKDR_CCHACK.B
  9a5de9adb8497fa639246f9a1c3eb19cec083cb3 (2,555,904 bytes) as BKDR_CCHACK.B
  f042d1b7fd87c14c2195fc92a6a5afc400b8b733 (2,336,251 bytes) as BKDR_CCHACK.B
  91f2db3034308bb5ea8910bef0237f9e3870c663 (7,680,216 bytes) as BKDR_CCHACK.B
  3e8f9e37c70e7fbde855d77229927fcad1abd153 (4,194,052 bytes) as BKDR_CCHACK.B
  6e9210ff9ef4ee47671b8512ec61be75f3aefeb9 (1,270,388 bytes) as BKDR_CCHACK.B
  a21403e47a1eddffefa3dd9dd1bd8fb77be9fe6f (7,595,489 bytes) as BKDR_CCHACK.B
  1675509e7366104eb497fbbb5bcd9a166a6c25be (7,596,764 bytes) as BKDR_CCHACK.B
  9929f7517399189f409b8dc01cd171df645a0259 (5,668,864 bytes) as BKDR_CCHACK.B
  5a2b658b4daf8b5e154b6baedfabf3ed2b2a3dfc (2,559,232 bytes) as BKDR_CCHACK.B
  3c235d378388312122e476c5fb10a58ff6702ec2 (8,573,144 bytes) as BKDR_CCHACK.B
  88d1eda90fa4f06ce0527eee5b09f5261519bad1 (7,680,216 bytes) as BKDR_CCHACK.B

• SHA256

  36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9 (7,680,216 bytes) as BKDR_CCHACK.A
  6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 (7,781,592 bytes) as BKDR_CCHACK.A
  1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff (9,791,816 bytes) as BKDR_CCHACK.A
  0564718b3778d91efd7a9972e11852e29f88103a10cb8862c285b924bc412013 (7,154,040 bytes) as BKDR_CCHACK.A
  128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f (81,408 bytes) as TROJ64_CCHACK.A
  dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 (175,616 bytes) as TROJ_CCHACK.A
  24d956f25f733ff138ab7a20e1384e281bd9427e05a3fac3adb30b03e9d8bd38 (81,052 bytes) as REG_CCHACK.A
  07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 (173,568 bytes) as TROJ_CCHACK.B

• MD5

  d488e4b61c233293bec2ee09553d3a2f (7,680,216 bytes) as BKDR_CCHACK.A
  ef694b89ad7addb9a16bb6f26f1efaf7 (7,781,592 bytes) as BKDR_CCHACK.A
  75735db7291a19329190757437bdb847 (9,791,816 bytes) as BKDR_CCHACK.A
  2d29b4a7ca69060f23d3b63331fcc042 (7,154,040 bytes) as BKDR_CCHACK.A

TrendMicro BKDR_CCHACK.A Detection

Web Reputation Service

Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.

The following C&C servers associated with the trojanized CCleaner are already being blocked by TrendMicro Web Reputation Services

216[.]126[.]225[.]148
http[:]//ab6d54340c1a[.]com
http[:]//aba9a949bc1d[.]com
http[:]//ab2da3d400c20[.]com
http[:]//ab3520430c23[.]com
http[:]//ab1c403220c27[.]com
http[:]//ab1abad1d0c2a[.]com
http[:]//ab8cee60c2d[.]com
http[:]//ab1145b758c30[.]com
http[:]//ab890e964c34[.]com
http[:]//ab3d685a0c37[.]com
http[:]//ab70a139cc3a[.]com

Predictive Machine Learning

Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks. It performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network.

Predictive Machine Learning detects trojanized CCleaner files as the following:

• TROJ.Win32.TRX.XXPE002FF019
• TROJ.WIN32.TRX.XXPE002FF019R450C

Deep Discovery Inspector

Trend Micro Deep Discovery Inspector (DDI) is helpful in identifying the potentially impacted machines on the network. DDI has a rule to detect C&C connection attempts made by the trojanized CCleaner.

• Rule ID 2497: CCHACK DNS Connection detected.

RECOMMENDATIONS FOR IT ADMIN

• Upgrade to the latest version of CCleaner (the affected file version is 5.33.6162).
• Monitor suspicious outbound connections from network monitoring appliance such as Deep Discovery Inspector. Outbound connection to a known C&C server is already an indication that the host machine is infected.
• Prevent employees' the ability to download or install unapproved software. Trend Micro Endpoint Application Control can allow IT admins to determine the list of programs/files/processes that can run on systems.
• User education and awareness helps improve everyone’s security posture. Educating staff about the potential risks related to downloading legitimate tools can help reduce risk of malware infections.