![]() Note: in some scenarios Minerva will prevent this threat but won’t alert.The malware allowed an infected system to be remotely controlled and collect data from your computer. Minerva prevented the entire attack with its Memory Injection Prevention module. ![]() We want to inform our customers they are fully protected from this threat without the need for any signature or update. There are some striking similarities between the code injected into CCleaner and the APT17/Aurora malware created by a Chinese APT group in 2014/2015. The list of the domain the attackers were attempting to target contains high-profile technology companies (Microsoft, Cisco, VMware etc.) One of the files contained a list of organizations, that were specifically targeted through the delivery of a second-stage loader. During the investigation, security researchers got an archive containing files that were stored on the C2 server. Once the malware starts running, it profiles the system and gathers system information, which is later transmitted to the C2 server. If the current user running the malicious process is not an administrator the malware will terminate its execution. The malware then checks to determine the privileges assigned to the user running on the system. This is a unique way to avoid a sandbox without calling sleep function directly. If that condition is not met, the malware terminates execution while the CCleaner binary continues normal operations. It then checks to determine the current system time to see if 600 seconds have elapsed. To implement this delay functionality, the malware calls to anther function, which attempts to ping 224.0.0.0 using a timeout set to 601 seconds. It then delays for 601 seconds before continuing operations. First, it records the current system time on the infected system. For example, it uses a clever time skew detection mechanism. The first stage of the malware is very paranoid and extremely cautious. It appears that behind this campaign was a sophisticated attacker, specifically targeting IT companies using a supply chain attack to compromise a vast number of victims, persistently. Since the binary was digitally signed using a valid certificate issued to the original software developer, it is likely that an external attacker compromised a portion of Avast’s development or build environment, and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It includes functionality such as cleaning of temporary files, analyzing the system to determine ways in which performance can be optimized and provides a more streamlined way to manage installed applications. For about a month, from mid-August until September 12, the tool’s latest official release (v5.33) also contained a multi-stage malware payload hidden within the installation of CCleaner.ĬCleaner is an application that allows users to perform routine maintenance on their systems. On September 18, Cisco’s Talos team published that Avast’s recently acquired subsidiary Piriform was leveraged to deliver malware to unsuspecting victims via its IT utility tool, CCleaner.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |