On September 18, Cisco’s Talos team published that Avast’s recently acquired subsidiary Piriform was leveraged to deliver malware to unsuspecting victims via its IT utility tool, CCleaner. For about a month, from mid-August until September 12, the tool’s latest official release (v5.33) also contained a multi-stage malware payload hidden within the installation of CCleaner.
CCleaner is an application that allows users to perform routine maintenance on their systems. It includes functionality such as cleaning of temporary files, analyzing the system to determine ways in which performance can be optimized and provides a more streamlined way to manage installed applications.
Since the binary was digitally signed using a valid certificate issued to the original software developer, it is likely that an external attacker compromised a portion of Avast’s development or build environment, and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization.
It appears that behind this campaign was a sophisticated attacker, specifically targeting IT companies using a supply chain attack to compromise a vast number of victims, persistently.
Compromising CCleaner Step by Step
The first stage of the malware is very paranoid and extremely cautious. For example, it uses a clever time skew detection mechanism. First, it records the current system time on the infected system. It then delays for 601 seconds before continuing operations. To implement this delay functionality, the malware calls to anther function, which attempts to ping 18.104.22.168 using a timeout set to 601 seconds. It then checks to determine the current system time to see if 600 seconds have elapsed. If that condition is not met, the malware terminates execution while the CCleaner binary continues normal operations. This is a unique way to avoid a sandbox without calling sleep function directly.
The malware then checks to determine the privileges assigned to the user running on the system. If the current user running the malicious process is not an administrator the malware will terminate its execution.
Once the malware starts running, it profiles the system and gathers system information, which is later transmitted to the C2 server. During the investigation, security researchers got an archive containing files that were stored on the C2 server. One of the files contained a list of organizations, that were specifically targeted through the delivery of a second-stage loader. The list of the domain the attackers were attempting to target contains high-profile technology companies (Microsoft, Cisco, VMware etc.)
There are some striking similarities between the code injected into CCleaner and the APT17/Aurora malware created by a Chinese APT group in 2014/2015.
We want to inform our customers they are fully protected from this threat without the need for any signature or update. Minerva prevented the entire attack with its Memory Injection Prevention module.
Note: in some scenarios Minerva will prevent this threat but won’t alert.
Further details about the incident may be found here: http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html