It has been reported that a version of Piriform CCleaner.exe has been compromised/trojanized resulting in the installation of multi-stage backdoor capable of receiving instructions from threat actors on affected systems. Listed below are the affected versions of CCleaner:
- CCleaner version 5.33.6162
- CCleaner Cloud version 1.07.3191
ARRIVAL AND INSTALLATION
The distribution of the compromised CCleaner came from the actual website of Piriform. Threat actors were able to compromise the CCleaner binary hosted in the website which resulted to the distribution of the malicious software to unsuspecting users. Since it came from a legitimate source and digitally signed, it would be almost impossible for users to identify that the software has been modified to perform malicious activity.
Trojanized CCleaner Distribution
Smart Scan and Conventional Scan
7e9cfa3cca5000fe56e4cf5c660f7939487e531a (7,781,592 bytes) as BKDR_CCHACK.A
d4b3c8ce4b4abdb5b60a6547801a53d32a666867 (7,464,860 bytes) as BKDR_CCHACK.A
8983a49172af96178458266f93d65fa193eaaef2 (7,680,216 bytes) as BKDR_CCHACK.A
dd2520a73a30e29df87ed45a45ebfafa037561a3 (7,464,861 bytes) as BKDR_CCHACK.A
6fd69c63469fcef34306a4b39cb08593a439be4b (7,210,544 bytes) as BKDR_CCHACK.A
c705c0b0210ebda6a3301c6ca9c6091b2ee11d5b (9,791,816 bytes) as BKDR_CCHACK.A
d7f20a5c8b0c930e06b104bb23665dfc127c0c76 (6,392,268 bytes) as BKDR_CCHACK.B
331b93db25a7386461dcadf143329096f0752d62 (6,927,830 bytes) as BKDR_CCHACK.B
8451d6db681ef41791c3ccaad15873d11f63fd26 (655,360 bytes) as BKDR_CCHACK.B
a8437422d5edd7c84995f693dd018d4f1c13f0e0 (2,087,565 bytes) as BKDR_CCHACK.B
ac94ed1e8255533aec65aded8e797e01c8f2cb43 (2,464,000 bytes) as BKDR_CCHACK.B
8acc62cb5f7565ba1091b4766908bea3a2993d87 (384,719 bytes) as BKDR_CCHACK.B
aa2c1ce704b223091999e31d5535aad07a41d5f9 (7,781,592 bytes) as BKDR_CCHACK.B
4c77d80f65b0551d486c6170ead5d4fe067f40d0 (8,637,656 bytes) as BKDR_CCHACK.B
80746f984b50b9127a15773db42204123c2e0c59 (7,664,856 bytes) as BKDR_CCHACK.B
b13221160e42fc84ea3dbc226b9f40e8b0128811 (6,310,274 bytes) as BKDR_CCHACK.B
095078b255843f94437e8fd41426b24618b89d4a (5,226,496 bytes) as BKDR_CCHACK.B
3514e556808c6b7eb2150c4ede8d6635a0d334cd (3,148,504 bytes) as BKDR_CCHACK.B
e6af115d7b208e5c810fc25ac2260def7659ff69 (6,250,194 bytes) as BKDR_CCHACK.B
759049a2f99f564a463b4abc1f8875fe750932e6 (1,092,293 bytes) as BKDR_CCHACK.B
f351e8acd03a09f579edd4f2532908d94efe134a (2,359,296 bytes) as BKDR_CCHACK.B
9a5de9adb8497fa639246f9a1c3eb19cec083cb3 (2,555,904 bytes) as BKDR_CCHACK.B
f042d1b7fd87c14c2195fc92a6a5afc400b8b733 (2,336,251 bytes) as BKDR_CCHACK.B
91f2db3034308bb5ea8910bef0237f9e3870c663 (7,680,216 bytes) as BKDR_CCHACK.B
3e8f9e37c70e7fbde855d77229927fcad1abd153 (4,194,052 bytes) as BKDR_CCHACK.B
6e9210ff9ef4ee47671b8512ec61be75f3aefeb9 (1,270,388 bytes) as BKDR_CCHACK.B
a21403e47a1eddffefa3dd9dd1bd8fb77be9fe6f (7,595,489 bytes) as BKDR_CCHACK.B
1675509e7366104eb497fbbb5bcd9a166a6c25be (7,596,764 bytes) as BKDR_CCHACK.B
9929f7517399189f409b8dc01cd171df645a0259 (5,668,864 bytes) as BKDR_CCHACK.B
5a2b658b4daf8b5e154b6baedfabf3ed2b2a3dfc (2,559,232 bytes) as BKDR_CCHACK.B
3c235d378388312122e476c5fb10a58ff6702ec2 (8,573,144 bytes) as BKDR_CCHACK.B
88d1eda90fa4f06ce0527eee5b09f5261519bad1 (7,680,216 bytes) as BKDR_CCHACK.B
36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9 (7,680,216 bytes) as BKDR_CCHACK.A
6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 (7,781,592 bytes) as BKDR_CCHACK.A
1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff (9,791,816 bytes) as BKDR_CCHACK.A
0564718b3778d91efd7a9972e11852e29f88103a10cb8862c285b924bc412013 (7,154,040 bytes) as BKDR_CCHACK.A
128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f (81,408 bytes) as TROJ64_CCHACK.A
dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 (175,616 bytes) as TROJ_CCHACK.A
24d956f25f733ff138ab7a20e1384e281bd9427e05a3fac3adb30b03e9d8bd38 (81,052 bytes) as REG_CCHACK.A
07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 (173,568 bytes) as TROJ_CCHACK.B
d488e4b61c233293bec2ee09553d3a2f (7,680,216 bytes) as BKDR_CCHACK.A
ef694b89ad7addb9a16bb6f26f1efaf7 (7,781,592 bytes) as BKDR_CCHACK.A
75735db7291a19329190757437bdb847 (9,791,816 bytes) as BKDR_CCHACK.A
2d29b4a7ca69060f23d3b63331fcc042 (7,154,040 bytes) as BKDR_CCHACK.A
TrendMicro BKDR_CCHACK.A Detection
Web Reputation Service
Web Reputation Services evaluates the potential security risk of all requested URLs at the time of each HTTP request. Depending on the rating returned by the database and the security level configured, web reputation either blocks or approves the request.
The following C&C servers associated with the trojanized CCleaner are already being blocked by TrendMicro Web Reputation Services
Predictive Machine Learning
Predictive Machine Learning is a powerful tool that helps protect your environment from unidentified threats and zero-day attacks. It performs a behavioral analysis on unknown or low-prevalence processes to determine if an emerging or unknown threat is attempting to infect your network.
Predictive Machine Learning detects trojanized CCleaner files as the following:
Deep Discovery Inspector
Trend Micro Deep Discovery Inspector (DDI) is helpful in identifying the potentially impacted machines on the network. DDI has a rule to detect C&C connection attempts made by the trojanized CCleaner.
- Rule ID 2497: CCHACK DNS Connection detected.
RECOMMENDATIONS FOR IT ADMIN
- Upgrade to the latest version of CCleaner (the affected file version is 5.33.6162).
- Monitor suspicious outbound connections from network monitoring appliance such as Deep Discovery Inspector. Outbound connection to a known C&C server is already an indication that the host machine is infected.
- Prevent employees' the ability to download or install unapproved software. Trend Micro Endpoint Application Control can allow IT admins to determine the list of programs/files/processes that can run on systems.
- User education and awareness helps improve everyone’s security posture. Educating staff about the potential risks related to downloading legitimate tools can help reduce risk of malware infections.