A new report by Cisco's Talos Group suggests that the CCleaner hack was more sophisticated than initially thought. The researchers found evidence of a second payload during their analysis of the malware which targeted very specific groups based on domains.
On September 18, 2017 Piriform reported that the company's infrastructure distributed a malicious version of the file cleaning software CCleaner for about a month.
The company's infrastructure was compromised, and users who downloaded version 5.33 of CCleaner from the website or used automatic updates to install it, got the infected version on their system.
We talked about methods to identify if an infected version is installed on the system. Probably the best indicator, apart from checking CCleaner's version, is to check for the existence of Registry keys under HKLM\SOFTWARE\Piriform\Agomo.
Piriform was quick to state that users could resolve the issue by updating to the new malware-free version of CCleaner.
A new report suggests that this may not be enough.
Talos Group found evidence that the attack was more sophisticated, as it targeted a specific list of domains with a second payload.
The researchers suggest that the attacker was after intellectual property based on the list of domains that belong to high profile tech companies.
Interestingly the array specified contains Cisco's domain (cisco.com) along with other high-profile technology companies. This would suggest a very focused actor after valuable intellectual property.
Talos Group suggested to restore the computer system using a backup that was created prior to the infection. The new evidence reinforces this, and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware.
These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.
The stage 2 installer is GeeSetup_x86.dll. It checks the version of the operating system, and plants a 32-bit or 64-bit version of the trojan on the system based on the check.
The 32-bit trojan is TSMSISrv.dll, the 64-bit trojan is EFACli64.dll.
Identifying Stage 2 Payloads
The following information helps identify if a stage 2 payload has been planted on the system.
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP
- GeeSetup_x86.dll (Hash: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83)
- EFACli64.dll (Hash: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f )
- TSMSISrv.dll (Hash: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 )
- DLL in Registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a
- Stage 2 Payload: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83