Cyber Alert: CCleaner Software Supply Chain Compromise
Date Issued: September 19, 2017
The Multi-State Information Sharing and Analysis Center (MS-ISAC) is aware of a supply chain compromise affecting at least two versions of Piriform’s CCleaner software. (Piriform is owned by Avast.) The August 15 release of CCleaner version 5.33.6162 and the August 24 update of CCleaner Cloud version 1.07.3191 were compromised with Floxif malware. Updated versions, released on September 12 remediated the issue. Piriform worked with U.S. law enforcement and shut down the command and control (C2) server on September 15.
CCleaner allows users to manage applications and perform routine maintenance on their systems. Users also can clean temporary files, and analyze their system to determine ways to optimize performance.
The malware was packaged with the CCleaner update in the installation executable, which was signed using a valid digital signature issued to Piriform by Symantec. Any user updating CCleaner to the infected versions would have downloaded the infected file. If the user updated to the 32-bit version of CCleaner, they then executed the infected file, installing the malware.
Floxif is a reconnaissance stage malware, with the payload designed to setup communication to a C2 server in order to exfiltrate non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters). This information can then be used to tailor specific malware for the machine. Currently, VirusTotal shows that 40 of 64 detection engines detect the malware.
Piriform warns that they need to finish the incident response process to address any concerns related to the use of its digital certificate.
Indicators of Compromise
File associated with the compromised update:
- ccleaner.exe
- ccsetup533.exe
MD5 hash associated with the compromised update:
- ccleaner.exe – ef694b89ad7addb9a16bb6f26f1efaf7, d488e4b61c233293bec2ee09553d3a2f
- ccsetup533.exe – 75735db7291a19329190757437bdb847
IP address associated with the compromised update:
- 216[.]126[.]225[.]148
- DGA Domains associated with the compromised update:
- ab6d54340c1a[.]com
- aba9a949bc1d[.]com
- ab2da3d400c20[.]com
- ab3520430c23[.]com
- ab1c403220c27[.]com
- ab1abad1d0c2a[.]com
- ab8cee60c2d[.]comab1145b758c30[.]com
- ab890e964c34[.]com
- ab3d685a0c37[.]com
- ab70a139cc3a[.]com
Affected Products
- CCleaner v5.33 installer
- CCleaner Cloud version 1.07.3191
Recommendations
The MS-ISAC recommends:
- SLTT government entities should determine if they are running the 32-bit version of CCleaner; and if so, check if version 5.33 of the software is currently running on their systems and immediately upgrade to the latest CCleaner version, after appropriate testing. If you have installed the Cloud version, verify the auto update feature downloaded and installed a clean version.
- If you downloaded either the 32-bit or 64-bit versions, run antivirus and antimalware programs with automatic updates of signatures to quarantine the infected file.
- Review network logs for DNS requests from your organization to the listed domains.
- Review your systems for copies of the compromised files.
- Apply the principle of Least Privilege to all systems and services.
- The MS-ISAC asks that you share this Cyber Alert with other potentially affected entities as CCleaner is commonly used software.
References
Piriform:
https://forum.piriform.com/index.php?showtopic=48869&page=1
https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
Cisco:
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html