Hunt: CCleaner Backdoor

Threat Description

CClearner, short for “Crap Cleaner”, is a common Windows utility that is used for removing invalid registry entries, programs, and performing other “optimizations” in a Windows operating system. It’s used by 130 million people and was acquired by Avast in July 2017. In September 2017, Avast discovered that an attacker had modified a specific build of the program in order to propagate malware to all the active CCleaner users.

This week it was discovered that the attackers actually made some mistakes when executing the attack vector. Basically, they deployed the key-logger and data exfiltration in an unintended stage of the attack vector.

Let’s take a look at how to hunt down this threat.

Indicators of Compromise (“IOCs”)

The attackers used ShadowPad which is typically the calling card of Axiom, aka APT17, a nation-state group out of China. It was validated by Avast that only a specific build was affected by this attack. Many vendors have released IOCs for this threat including Talos Intelligence. Additional details on the binary used for this demonstration can be found on VirusTotal.

File Names

  • CCleaner.exe
  • CCLEANER.EXE
  • CCleaner533.exe
  • CCleaner [32-bit].exe
  • CCleaner (2017_08_26 16_59_31 UTC).exe

File Hashes

  • 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
  • 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
  • 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9

IP Addresses

  • 216.126.225.148

Historical Search via Search Builder

We’re going to utilize the “Search Builder” feature from DarkBytes Collect to see what hosts are affected by this wide-spread infection. The Search Builder combs through months of historical endpoint data that is gathered from Query Packs.

We’ve got a few indicators to work with so we will take them one-by-one.

File Names

We can utilize the Search Builder function of DarkBytes Collect to easily check for filenames or processes that include the string “ccleaner”. This is a quick-and-easy way to see a breakdown of where CCleaner is downloaded, installed, and running.

  • Select “Name” from the Field dropdown, “in” from the Operator dropdown, and type “ccleaner” into the value.
  • Click “Add” to add the search criteria and “Search” to kick it off.

We can instantly see that one machine has executed CCleaner, indicated by the data under the “running_processes_windows” tab,  and that the process even made network connections as indicated by the selected “open_sockets” tab. It’s not looking good for this host.

File Hashes

Next we’re going to use a file hash to get a better idea if the “ccleaner” process is indeed one of the known infected builds. We’ll continue to use the Search Builder but instead we will change the criteria to a SHA256 has from our IOCs.

  • Remove previous criteria by clicking “Clear all” .
  • Select “SHA256” from the Field dropdown, “==” from the Operator dropdown, and paste in the SHA256 hash into the value.
  • Click “Add” to add the search criteria and “Search” to kick it off.

Now we know that this host is certainly infected. We can even see the exact file locations where the infected binaries exist and the running processes (if any) associated to them.

IP Addresses

Let’s continue and see if it’s communicated with the known threat IP address. Again, we will utilize search builder and adjust the criteria to match the known IOCs.

  • Remove previous criteria by clicking “Clear all” .
  • Select “Remote IP Address” from the Field dropdown, “==” from the Operator dropdown, and paste in the IP address into the value.
  • Click “Add” to add the search criteria and “Search” to kick it off.

The result showed under “open_sockets” indicates that there was indeed communication with the threat actor’s IP address.

Real-Time Search via Distributed Query

Next we’ll dive into validating the infection in real-time using the Distributed Query feature in DarkBytes Collect. This feature allows for queries to be sent to thousands of endpoints in real-time. This is a great way to perform validation once a threat has been hunted.

Let’s write a simple SQL query to search for the hash in the downloads folder –

SELECT ctime, filename, path, hash.md5, hash.sha1, hash.sha256
FROM file JOIN hash USING (path)
WHERE (path LIKE '/home/%/Downloads/%%' 
OR path LIKE '/Users/%/Downloads/%%'
OR path LIKE 'C:\Users\%\Downloads\%%') 
AND sha256 = '6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9';

This query will recursivley search the “Downloads” folder on Linux, OSX, and Windows systems for the specific SHA256 hash that we identified earlier. As seen below, we’ve instantly confirmed the file still exists in 2 different locations on the host.

Conclusion

Even signed, well-known software can turn into an attack vector that breaches your organization. Combining continous and real-time visibility into endpoints is key to reducing incident response times and ultimatley business impact.

Try it risk-free today and get started!

References

  • https://threatpost.com/ccleaner-attackers-intended-to-deploy-keylogger-in-third-stage/130358/
  • https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident
  • http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html