A recently disclosed breach at Avast-owned Piriform, makers of the popular software utility CCleaner, was a highly targeted attack performed by a sophisticated actor, Avast and Cisco security researchers have discovered.
Revealed on Monday, the compromise supposedly happened in early July, before Avast completed the purchase of Piriform. Hackers modified the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases to add backdoor code to them to collect user information. The modified binaries were up for download between August 15 and September 12, and resulted in over 2 million users downloading a malicious verson.
The infected installers were discovered by Morphisec, which alerted Avast on September 12. Within 72 hours, the command and control (C&C) server where the malicious code sent information was taken down and clean versions of CCleaner were being pushed to users.
While initially shouting out loud that the compromise was addressed before any harm was done to users, Avast on Wednesday confirmed that this was in fact a highly targeted attack and that a secondary payload was executed on some of the impacted systems.
Analysis of the logs found on the C&C server revealed that 20 machines in a total of 8 organizations received the second-stage payload. However, the logs only covered just over three days, and the actual number of machines that received the payload could be of hundreds, Avast says.
The security firm wouldn’t reveal the names of targeted organizations, but says that these were “select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US.” This clearly means that most of the CCleaner users weren’t of interest to the attackers.
According to Cisco Talos researchers, the list of domains the attackers were attempting to target includes the sites of high-profile technology companies such as Singtel, HTC, Samsung, Sony, Intel, Microsoft, Cisco, O2, Vodafone, Akamai, among others. Cisco also disclosed that the attackers “were specifically controlling which infected systems were actually delivered a stage 2 payload.”
Attackers controlled payload delivery
“The server implemented a series of checks to determine whether to proceed with standard operations or simply redirect to the legitimate Piriform website,” Cisco explains.
On the server, the researchers also found a PHP file that defines core variables and operations used, which specifies the time zone as being People’s Republic of China (PRC). This, however, shouldn’t be relied on for attribution, the researchers say.
Analysis of the server also revealed what type of information attackers gathered from the infected systems: OS version, architecture information, whether the user has administrative rights, hostname and domain name, a list of software installed on the machine, and currently running processes on the machine. The system information is stored in a MySQL database.
The database revealed that 700,000 machines reported to the C&C server between Sept. 12 and Sept. 16, but only around 20 machines received the second-stage payload. The researchers also determined that 540 government systems around the world were affected by the attack, and that 51 compromised systems were belonging to domains containing the word ‘bank’.
However, Cisco also points out that the target list was changed while the server was active. The actor apparently had the ability to add or remove domains from the target list, based on the environments or organizations they chose to target. The server also held functionality responsible for loading and executing the second stage payload.
“During the compromise, the malware would periodically contact the C&C server and transmit reconnaissance information about infected systems. This information included IP addresses, online time, hostname, domain name, process listings, and more. It’s quite likely this information was used by the attackers to determine which machines they should target during the final stages of the campaign,” the researchers say.
Sophisticated stage 2 payload
Heavily obfuscated and using anti-debugging and anti-emulation tricks, the stage 2 payload was found to be a complex piece of code that uses two components (DLLs). One is responsible for persistence, while the other contains the main business logic, mostly related to connecting to another C&C. The server address, which can be arbitrarily modified in the future, can be determined using an account on GitHub, an account on WordPress, and a DNS record of a domain.
Cisco explains that the stage 2 installer is GeeSetup_x86.dll, which checks the OS version and drops the required version of a Trojanized tool. On x86 systems, it uses a Trojanized TSMSISrv.dll, which drops VirtCDRDrv, thus matching the filename of a legitimate Corel executable. On x64 systems, it uses a Trojanized EFACli64.dll file named SymEFA, similar to a legitimate executable in Symantec Endpoint.
The researchers discovered that the code would patch a legitimate binary to package the malware, and that an encoded PE is put in the registry. The Trojanized binary is meant to decode and execute the PE, which performs queries to additional C&C servers and executes in-memory PE files. Because executables aren’t stored directly on the file system, detection could prove complicated.
“Talos has reviewed claims from Kaspersky researchers that there is code overlap with malware samples known to be used by Group 72. While this is by no means proof in terms of attribution, we can confirm the overlap and we agree that this is important information to be considered,” the researchers continue.
Thorough cleanup necessary
Cisco points out that, while updating to the latest versions of CCle
aner would ensure that the backdoor code in the installer is removed, further action might be required to remove additional malware that could be present on the system. Thus, they reinforce their previous recommendation that impacted users should restore their systems from backups or reinstall the operating system completely.
Avast, on the other hand, recommends updating to CCleaner version 5.35, as the digital certificate used to sign the infected version 5.33 has been revoked. The company also recommends that consumers use an anti-malware application.
“For corporate users, the decision may be different and will likely depend on corporate IT policies. At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted,” the security firm notes.
“Supply chain attacks seem to be increasing in velocity and complexity. Unfortunately, security events that are not completely understood are often downplayed in severity. This can work counter to a victim’s best interests. Security companies need to be conservative with their advice before all of the details of the attack have been determined to help users ensure that they remain protected. This is especially true in situations where entire stages of an attack go undetected for a long period of time,” Cisco points out.