Another major hack has taken place and those who discovered it say the culprits are professional and possibly nation-state, actors. The latest attack is against the AVAST product CCleaner. CCleaner is an application that allows users to perform routine maintenance on their systems including cleaning of temporary files, and analyzing the system to determine performance optimizations.

Of particular concern is the fact that AVAST is recognized as an Anti-Virus (AV) vendor. It is not uncommon for AV vendors to automatically update their customers with the latest versions and search data. If the distribution supply chain has been compromised then the AV company has itself become a distributor of virus software to its clients. CCleaner reportedly has over two billion downloads and AVAST has initially evaluated the number of infections at 2.3 million. Since being notified by CISCO's TALOS team - the version of CCleaner containing the malicious payloads has been removed and is no longer available. Users who recently downloaded Cleaner are advised to get the latest update which does not contain the virus code.

CISCO systems TALOS group discovered that CCleaner was infected with malware. The malware was a multi-stage payload riding on top of the downloadable installation of CCleaner. The malware contained a payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. In short, the AVAST distribution system was breached and their current version of the downloadable software had been contaminated with hostile software.

Worse still, the downloaded installation executable was signed using a valid digital signature thus it was recognized as the official version. The valid digital signature on the malicious CCleaner points toward a larger breach because either the development or signing process for software distribution was compromised.

The malware is designed to run just before the CCleaner activity starts up. The malware decrypts data which contains the two stages of the payload, a loader and a DLL file that is the actual malware payload. CISCO determined the authors tried to reduce the detection of the malicious attack by zeroing out the header operations. According to researchers, this suggests the attackers were trying to "remain under the radar to normal detection techniques".

The CCleaner malware collects system information such as the computer name, admin login and password, and software installed on the system. The malware then encrypts the stolen information and then encodes it for transmission using a modified Base64 scheme. The malware then establishes a Command and Control (C2) connection and transmits the data to the hacker main computer.

The malware also employs a domain generation algorithm (DGA). Basically, the DGA is a formula to generate domain locations. If the malware detected that a hacker C2 server was down, it then uses the DGA to create a new domain to communicate with. The use of a DGA is neither or common in the malware community so this particular feature indicates the culprits may be far more sophisticated than a standard criminal operation.

The CISCO TALOS team that discovered the DGA code also took steps to black the hackers. They noted that the DGA domains had not been registered, so they "registered and sinkholed them to prevent attackers from being able to use them for malicious purposes".

Hackers previously used a similar contaminated distribution system in spreading the Petya malware by infecting an obscure Ukrainian software company that sold and distributed tax applications. The ability to penetrate and exploit a much larger and better equipped AVAST system through their Piriform web site group shows that this threat is going to continue to grow. The CIA has also been noted as by the Wikileaks Vault 7 documents as using supply chain attacks, usually through hardware vendors such as Wi-Fi and industrial servers.

Link to CISCO Talos Group




ALL our products on hard copy CD - LINUX, Android and Windows in one package

ENTERPISE COMBO PACK ALL - Cypher with light sensor, PDA and introducing Choctaw encrypted Email

Contact Us: