Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Piriform CCleaner Compromised by Multi-Stage Backdoor

    • Updated:
    • 29 Sep 2017
    • Product/Version:
    • Control Manager All.All
    • Core Protection Module All.All
    • Deep Discovery Analyzer All.All
    • Deep Discovery Email Inspector All.All
    • Deep Discovery Inspector All.All
    • Deep Security All.All
    • Endpoint Application Control All.All
    • Endpoint Encryption All.All
    • Hosted Email Security All.All
    • InterScan Messaging Security Suite All.All
    • InterScan Messaging Security Virtual Appliance All.All
    • InterScan Web Security Virtual Appliance All.All
    • OfficeScan All.All
    • Worry-Free Business Security Services All.All
    • Worry-Free Business Security Standard/Advanced All.All
    • Platform:
    • N/A N/A
Summary

THREAT INFORMATION

It has been reported that a version of Piriform CCleaner.exe has been compromised/trojanized resulting in the installation of multi-stage backdoor capable of receiving instructions from threat actors on affected systems. Listed below are the affected versions of CCleaner:

    • CCleaner version 5.33.6162
    • CCleaner Cloud version 1.07.3191

Trend Micro already detects the trojanized CCleaner as BKDR_CCHACK.A and BKDR_CCHAK.B.

ARRIVAL AND INSTALLATION

The distribution of the compromised CCleaner came from the actual website of Piriform. Threat actors were able to compromise the CCleaner binary hosted in the website which resulted to the distribution of the malicious software to unsuspecting users. Since it came from a legitimate source and digitally signed, it would be almost impossible for users to identify that the software has been modified to perform malicious activity.

Trojanized CCleaner Distribution

Trojanized CCleaner Distribution

Details
Public

Smart Scan and Conventional Scan

The following hashes related to the trojanized CCleaner are already detected as BKDR_CCHACK.A and BKDR_CCHAK.B using 13.671.00 by TrendMicro Smart and Conventional Patterns.

    • SHA1

      7e9cfa3cca5000fe56e4cf5c660f7939487e531a (7,781,592 bytes) as BKDR_CCHACK.A
      d4b3c8ce4b4abdb5b60a6547801a53d32a666867 (7,464,860 bytes) as BKDR_CCHACK.A
      8983a49172af96178458266f93d65fa193eaaef2 (7,680,216 bytes) as BKDR_CCHACK.A
      dd2520a73a30e29df87ed45a45ebfafa037561a3 (7,464,861 bytes) as BKDR_CCHACK.A
      6fd69c63469fcef34306a4b39cb08593a439be4b (7,210,544 bytes) as BKDR_CCHACK.A
      c705c0b0210ebda6a3301c6ca9c6091b2ee11d5b (9,791,816 bytes) as BKDR_CCHACK.A
      d7f20a5c8b0c930e06b104bb23665dfc127c0c76 (6,392,268 bytes) as BKDR_CCHACK.B
      331b93db25a7386461dcadf143329096f0752d62 (6,927,830 bytes) as BKDR_CCHACK.B
      8451d6db681ef41791c3ccaad15873d11f63fd26 (655,360 bytes) as BKDR_CCHACK.B
      a8437422d5edd7c84995f693dd018d4f1c13f0e0 (2,087,565 bytes) as BKDR_CCHACK.B
      ac94ed1e8255533aec65aded8e797e01c8f2cb43 (2,464,000 bytes) as BKDR_CCHACK.B
      8acc62cb5f7565ba1091b4766908bea3a2993d87 (384,719 bytes) as BKDR_CCHACK.B
      aa2c1ce704b223091999e31d5535aad07a41d5f9 (7,781,592 bytes) as BKDR_CCHACK.B
      4c77d80f65b0551d486c6170ead5d4fe067f40d0 (8,637,656 bytes) as BKDR_CCHACK.B
      80746f984b50b9127a15773db42204123c2e0c59 (7,664,856 bytes) as BKDR_CCHACK.B
      b13221160e42fc84ea3dbc226b9f40e8b0128811 (6,310,274 bytes) as BKDR_CCHACK.B
      095078b255843f94437e8fd41426b24618b89d4a (5,226,496 bytes) as BKDR_CCHACK.B
      3514e556808c6b7eb2150c4ede8d6635a0d334cd (3,148,504 bytes) as BKDR_CCHACK.B
      e6af115d7b208e5c810fc25ac2260def7659ff69 (6,250,194 bytes) as BKDR_CCHACK.B
      759049a2f99f564a463b4abc1f8875fe750932e6 (1,092,293 bytes) as BKDR_CCHACK.B
      f351e8acd03a09f579edd4f2532908d94efe134a (2,359,296 bytes) as BKDR_CCHACK.B
      9a5de9adb8497fa639246f9a1c3eb19cec083cb3 (2,555,904 bytes) as BKDR_CCHACK.B
      f042d1b7fd87c14c2195fc92a6a5afc400b8b733 (2,336,251 bytes) as BKDR_CCHACK.B
      91f2db3034308bb5ea8910bef0237f9e3870c663 (7,680,216 bytes) as BKDR_CCHACK.B
      3e8f9e37c70e7fbde855d77229927fcad1abd153 (4,194,052 bytes) as BKDR_CCHACK.B
      6e9210ff9ef4ee47671b8512ec61be75f3aefeb9 (1,270,388 bytes) as BKDR_CCHACK.B
      a21403e47a1eddffefa3dd9dd1bd8fb77be9fe6f (7,595,489 bytes) as BKDR_CCHACK.B
      1675509e7366104eb497fbbb5bcd9a166a6c25be (7,596,764 bytes) as BKDR_CCHACK.B
      9929f7517399189f409b8dc01cd171df645a0259 (5,668,864 bytes) as BKDR_CCHACK.B
      5a2b658b4daf8b5e154b6baedfabf3ed2b2a3dfc (2,559,232 bytes) as BKDR_CCHACK.B
      3c235d378388312122e476c5fb10a58ff6702ec2 (8,573,144 bytes) as BKDR_CCHACK.B
      88d1eda90fa4f06ce0527eee5b09f5261519bad1 (7,680,216 bytes) as BKDR_CCHACK.B

    • SHA256

      36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9 (7,680,216 bytes) as BKDR_CCHACK.A
      6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 (7,781,592 bytes) as BKDR_CCHACK.A
      1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff (9,791,816 bytes) as BKDR_CCHACK.A
      0564718b3778d91efd7a9972e11852e29f88103a10cb8862c285b924bc412013 (7,154,040 bytes) as BKDR_CCHACK.A
      128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f (81,408 bytes) as TROJ64_CCHACK.A
      dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 (175,616 bytes) as TROJ_CCHACK.A
      24d956f25f733ff138ab7a20e1384e281bd9427e05a3fac3adb30b03e9d8bd38 (81,052 bytes) as REG_CCHACK.A
      07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 (173,568 bytes) as TROJ_CCHACK.B

    • MD5

      d488e4b61c233293bec2ee09553d3a2f (7,680,216 bytes) as BKDR_CCHACK.A
      ef694b89ad7addb9a16bb6f26f1efaf7 (7,781,592 bytes) as BKDR_CCHACK.A
      75735db7291a19329190757437bdb847 (9,791,816 bytes) as BKDR_CCHACK.A
      2d29b4a7ca69060f23d3b63331fcc042 (7,154,040 bytes) as BKDR_CCHACK.A

TrendMicro BKDR_CCHACK.A Detection

TrendMicro BKDR_CCHACK.A Detection

Web Reputation Service

Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.

The following C&C servers associated with the trojanized CCleaner are already being blocked by TrendMicro Web Reputation Services

216[.]126[.]225[.]148
http[:]//ab6d54340c1a[.]com
http[:]//aba9a949bc1d[.]com
http[:]//ab2da3d400c20[.]com
http[:]//ab3520430c23[.]com
http[:]//ab1c403220c27[.]com
http[:]//ab1abad1d0c2a[.]com
http[:]//ab8cee60c2d[.]com
http[:]//ab1145b758c30[.]com
http[:]//ab890e964c34[.]com
http[:]//ab3d685a0c37[.]com
http[:]//ab70a139cc3a[.]com

Predictive Machine Learning

Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks. It performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network.

Predictive Machine Learning detects trojanized CCleaner files as the following:

  • TROJ.Win32.TRX.XXPE002FF019
  • TROJ.WIN32.TRX.XXPE002FF019R450C

Deep Discovery Inspector

Trend Micro Deep Discovery Inspector (DDI) is helpful in identifying the potentially impacted machines on the network. DDI has a rule to detect C&C connection attempts made by the trojanized CCleaner.

  • Rule ID 2497: CCHACK DNS Connection detected.

RECOMMENDATIONS FOR IT ADMIN

  • Upgrade to the latest version of CCleaner (the affected file version is 5.33.6162).
  • Monitor suspicious outbound connections from network monitoring appliance such as Deep Discovery Inspector. Outbound connection to a known C&C server is already an indication that the host machine is infected.
  • Prevent employees' the ability to download or install unapproved software. Trend Micro Endpoint Application Control can allow IT admins to determine the list of programs/files/processes that can run on systems.
  • User education and awareness helps improve everyone’s security posture. Educating staff about the potential risks related to downloading legitimate tools can help reduce risk of malware infections.
Premium
Internal
Rating:
Category:
Remove a Malware / Virus
Solution Id:
1118367
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.