CCleaner Malware Infects Big Tech Companies With Second Backdoor 2and-stage

[hacker7]

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

The group of unknown hackers who hijacked CCleaner's download server to distribute a malicious version of the popular system optimization software targeted at least 20 major international technology companies with a second-stage payload.

Earlier this week, when the CCleaner hack was reported, researchers assured users that there's no second stage malware used in the massive attack and affected users can simply update their version in order to get rid of the malicious software.

 

However, during the analysis of the hackers' command-and-control (C2) server to which the malicious CCleaner versions connected, security researchers from Cisco's Talos Group found evidence of a second payload (GeeSetup_x86.dll, a lightweight backdoor module) that was delivered to a specific list of computers based on local domain names.
 

Affected Technology Firms 

According to a predefined list mentioned in the configuration of the C2 server, the attack was designed to find computers inside the networks of the major technology firms and deliver the secondary payload. The target companies included:

• Google
• Microsoft
• Cisco
• Intel
• Samsung
• Sony
• HTC
• Linksys
• D-Link
• Akamai
• VMware

In the database, researchers found a list of nearly 700,000 backdoored machines infected with the malicious version of CCleaner, i.e. the first-stage payload, and a list of at least 20 machines that were infected with the secondary payload to get a deeper foothold on those systems.

 

The CCleaner hackers specifically chose these 20 machines based upon their Domain name, IP address, and Hostname. The researchers believe the secondary malware was likely intended for industrial espionage.
 

CCleaner Malware Links to Chinese Hacking Group

According to the researchers from Kaspersky, the CCleaner malware shares some code with the hacking tools used by a sophisticated Chinese hacking group called Axiom, also known as APT17, Group 72, DeputyDog, Tailgater Team, Hidden Lynx or AuroraPanda.

"The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT 'umbrella'," tweeted director of Global Research and Analysis Team at Kaspersky Lab.

Cisco researchers also note that one configuration file on the attacker's server was set for China's time zone, which suggests China could be the source of the CCleaner attack. However, this evidence alone is not enough for attribution.

Cisco Talos researchers also said that they have already notified the affected tech companies about a possible breach.
 

Removing Malicious CCleaner Version would Not Help

Just removing the Avast's software application from the infected machines would not be enough to get rid of the CCleaner second stage malware payload from their network, with the attackers' still-active C2 server.

So, affected companies that have had their computers infected with the malicious version of CCleaner are strongly recommended to fully restore their systems from backup versions before the installation of the tainted security program.

"These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system," the researchers say.

[virge]

I'm not using this app anymore.

[BioHazard]

luckily  I have stopped using it just before avast took over. 

[hacker7]

supply chain attack was just a first step of what now appear as a much more targeted ops, most likely nation-state sponsored

[J.D]

What version of Ccleaner are they referring to, v533 or later ? (or earlier even) 

[hacker7]

19 minutes ago, J.D said:

What version of Ccleaner are they referring to, v533 or later ? (or earlier even) 

 

Same version of v533 but on company servers now!

[hacker7]

Official moved to Galary now instead!!!

[trufpal]

@hacker7 Your username looks suspicious. Are you behind all of these attack?

 

Joking aside, it's hard to believe how quickly things turn shit at Piriform. From getting acquired by Avast and now this.

 

Such a shame since CCleaner was a really good program. Well, at least there are many viable alternatives out there. Bleachbit, System Ninja and many more.

[hacker7]

2 minutes ago, trufpal said:

@hacker7 Your username looks suspicious. Are you behind all of these attack?

 

Joking aside, it's hard to believe how quickly things turn shit at Piriform. From getting acquired by Avast and now this.

 

Such a shame since CCleaner was a really good program. Well, at least there are many viable alternatives out there. Bleachbit, System Ninja and many more.

hihi @trufpal Attacking them and delivering the news Too

Yes NInja is not so bad!

[fishbone]

Which means? Can CCleaner not longer be used?

[hacker7]

11 minutes ago, fishbone said:

Which means? Can CCleaner not longer be used?

Not recommend at the time i would say.!

[Holmes]

I remember reading the attack took place two weeks before the acquisition by avast so avast had nothing to do with this breach aside from what there doing now.  I still had version 5.1 something and now Im going to update to the latest well not yet Im going to standby to make sure all is well and good first.  I dont think you should use ccleaner right now that doesnt mean dont use it in the future (unless avast screws it up).

[DKT27]

People need to understand this thing is not a small scale one. Yes, the AV company could have prevented it with special security measures, but this shows that it was a specific, targeted, personalized and a big hacking attempt from an expert hacking group. I still think people on the internet have not realized the size and importance of it.

[steven36]

Avast didn't  get  the signatures for tell Monday after it  was told in the news

https://www.avast.com/fi-fi/virus-update-history

Eset got them the same day

http://www.virusradar.com/update/info/16099

 

45 / 64

https://www.virustotal.com/en/file/6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9/analysis/

 

I don't think none of them had the signature before Monday ? 

 

And no one at Avast forums knew about it tell Monday.

https://forum.avast.com/index.php?topic=208612.msg1421138#msg1421138

And know one at  Eset knew about tell Monday.

https://forum.eset.com/topic/13175-ccleaner-v5336162-and-ccleaner-cloud-v1073191-had-been-compromised/

By the time anti-malware got the signatures  the backdoor server was already closed and the damage was already done  .  Only Morphisec’s unique Moving Target Defense cyber security solution for businesses was able too pick on it with all the security  stuff for the internet there is now!

http://blog.morphisec.com/morphisec-discovers-ccleaner-backdoor

We are screwed  people if this keeps happening too software .

 

 

 

 

[Iznogoud]

I installed version 5.33 (when it was released) , but ESET (my antivirus) didn't report malware during installation. It failed to protect me.

Furthermore I used version 5.33 for a month, and ESET never reported virus for that time.

I learned about the infection through the news (on nsane), and then restored my ATI backup (luckily I backup up when it was version 5.32).

My point is that not only Avast failed, but also and ESET (in my case), and probably other antivirus. Virus was active one month on my computer and ESET didn't detected it.

How much of you was protected by your antivirus during from middle August to middle September? Are your antivirus stopped installation of version 5.33, or latter reported that you use infected version of CCleaner in this period?

[BALTAGY]

7 minutes ago, stajke said:

I installed version 5.33 (when it was released) , but ESET (my antivirus) didn't report malware during installation. It failed to protect me.

Furthermore I used version 5.33 for a month, and ESET never reported virus for that time.

I learned about the infection through the news (on nsane), and then restored my ATI backup (luckily I backup up when it was version 5.32).

My point is that not only Avast failed, but also and ESET (in my case), and probably other antivirus. Virus was active one mount on my computer and ESET didn't detected it.

How much of you was protected by your antivirus during from middle August to middle September? Are your antivirus stopped installation of version 5.33, or latter reported that you use infected version of CCleaner in this period?

No antivirus detected it, even Avast who write about the hack didn't detect it same day lol, ESET detected it same day they discovered it

[hacker7]

21 minutes ago, stajke said:

I installed version 5.33 (when it was released) , but ESET (my antivirus) didn't report malware during installation. It failed to protect me.

Furthermore I used version 5.33 for a month, and ESET never reported virus for that time.

I learned about the infection through the news (on nsane), and then restored my ATI backup (luckily I backup up when it was version 5.32).

My point is that not only Avast failed, but also and ESET (in my case), and probably other antivirus. Virus was active one mount on my computer and ESET didn't detected it.

How much of you was protected by your antivirus during from middle August to middle September? Are your antivirus stopped installation of version 5.33, or latter reported that you use infected version of CCleaner in this period?

 

12 minutes ago, BALTAGY said:

No antivirus detected it, even Avast who write about the hack didn't detect it same day lol, ESET detected it same day they discovered it

Yes as BALTAGY said no Anti virus ever detected Any thing tell monday the day we all heard  abt it, and suddenly eset start detecting it from no where lol

[Iznogoud]

9 minutes ago, BALTAGY said:

No antivirus detected it, even Avast who write about the hack didn't detect it same day lol, ESET detected it same day they discovered it

 

In my opinion the whole security community failed in this case. Virus was active whole month.

[hacker7]

6 hours ago, DKT27 said:

People need to understand this thing is not a small scale one. Yes, the AV company could have prevented it with special security measures, but this shows that it was a specific, targeted, personalized and a big hacking attempt from an expert hacking group. I still think people on the internet have not realized the size and importance of it.

1 minute ago, stajke said:

 

In my opinion the whole security community failed in this case. Virus was active whole month.

This was't any standard hack attempt

[Agent 86]

On 9/21/2017 at 10:06 AM, hacker7 said:

However, during the analysis of the hackers' command-and-control (C2) server to which the malicious CCleaner versions connected, security researchers from Cisco's Talos Group found evidence of a second payload (GeeSetup_x86.dll, a lightweight backdoor module) that was delivered to a specific list of computers based on local domain names.

So does this mean that users such as myself have nothing to worry about as far as this specific exploit is concerned? 

I currently have v5.34 installed.  

[hacker7]

4 hours ago, Agent 86 said:

So does this mean that users such as myself have nothing to worry about as far as this specific exploit is concerned? 

I currently have v5.34 installed.  

We all should be worry abt what's going on .!

And I my self can't trust c cleaner anymore , specially with avast being head security at the firm

[Cerberus]

The hackers are not going after small time users, instead they are focused on corporations obviously.  Anyone with disassembler skills could remove the threat but its up to CCleaner devs to patch the door they are using or this will continue.  They will be the example for all software devs to pay close attention to.

[Pequi]

I agree with DKT27 on this one. This was a BIG experienced hacking group (much too experienced to leave silly clues behind).

State size big.

Americans, Russians or even Chinese, we will probably never know. Each one had something to gain.

The only thing I am absolutely sure of, it wasn't the Brazilian Government. We are not competent enough to watch our own country, let alone spy on others.
;)

PS --> The hack occured after Avast bought Piriform. No amount of PR will convince us they are not responsible.

For now Wise Disk cleaner and Bleachbit are both free alternatives, though you have to be careful to blacklist some stuff in both of them... read the result first before hitting delete.

[steven36]

3 hours ago, Pequi said:

PS --> The hack occured after Avast bought Piriform. No amount of PR will convince us they are not responsible.

Who's us?  I used Avast products for years once and never had a problem like this . It's typical of  people who don't really know who are why to try to place the blame on someone or something but tell there is any proof  it's just conspiracy theories and this is not the 1st time some software  was hacked  . 

 

People have been butt hurt every since Avast bought Crap Cleaner and this gives them a ample reason to try too place the blame on Avast  because they was already trashing CC Cleaner  every since the day Avast bought  them  long before this ever happen.  If I was Avast id be angry if I just bought a project I thought were a good investment and it got hacked . Something must of  been wrong at Piriform are they would of not sold out for money  they are the ones who sold it  all Avast did was buy it.

 

I'm not taking Avast side on this and I'm not taking the haters side ether. I'm just going too play the Devil's Advocate and  the fact it was hacked will not make CC Cleaner belong too a small business again Piriform done got there money and the deal was done and blaming it on Avast without any proof want reverse the fact it was hacked .

 

When some other software was hacked in the past  many people slammed them hard and it never made no difference. it's still is the most popular software in it's field .Only time will tell if this effects CC Cleaner but i doubt  it effects Avast security products because it's not even the same software .

 

Avast has been the most installed security product for like 15 years and before that AVG was witch Avast owns now only Windows defender has more users witch is not counted in the marketshare anymore because it's a baked in product every since Windows 8.1 and it's not installed it's a 1st party program and I have my reasons for not using Avast security products anymore witch were it had  too many false positives but I'm not above using it again because i know how too exclude my crack folder.. It's always a free option that is on the table .

 

I'm not against no company that provide real time security too millions of people for free as long as they have and shaped the security market into what it is today were if a vendor don't offer anti-malware too protect people for free in realtime  , they will never hold the bulk of the market . No wonder Avast bought Crap Cleaner they both sell keys for extra useless features when there free version is good enough. 

 

What i find strange that Microsoft was on the hackers list of targets when  Microsoft condemned the use of CC Cleaner back when Windows 10 first came out and told people not too use it on there software  lol. 

[sam3971]

@Steven, even with the condemnation of Ccleaner, it only takes one rogue employee to have this version installed for M$ to become potentially compromised.