

The flow-graph of the malicious CCleaner is as follows (taken from the Talos report):Īfter the embedded code is decrypted and executed, the next step is a PE (portable executable) file loader. The infected CCleaner file that begins the analysis is from 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9Ī technical analysis was posted by Talos here ( ).

The previous attacks are attributed to a Chinese group called PLA Unit 61398. Operation Aurora started in 2009 and to see the same threat actor still active in 2017 could possibly mean there are many other supply chain attacks by the same group that we are not aware of. In this case, they probably were able to hack CCleaner’s build server in order to plant this malware. APT17, also known as Operation Aurora, is one of the most sophisticated cyber attacks ever conducted and they specialize in supply chain attacks. The code in question is a unique implementation of base64 only previously seen in APT17 and not in any public repository, which makes a strong case about attribution to the same threat actor.
Dll ccleaner malware software#
With our technology, we can compare code to a huge database of malicious and trusted software - that’s how we can prove that this code has never been seen before in any other software.Ī deeper analysis leads us to the functions shown below. The photo below is the result of uploading the CCBkdr module to Intezer Analyze™, where the results show there is an overlap in code. Using Intezer Analyze™, we were able to verify the shared code between the backdoor implanted in CCleaner and earlier APT17 samples. The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT 'umbrella'. The official statement from Avast can be found here The Big Connection:Ĭostin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, was the first to find a code connection between APT17 and the backdoor in the infected CCleaner: Through somewhere that had access to the source code of CCleaner, the main executable in v had been modified to include a backdoor. A backdoor, inserted into legitimate code by a third party with malicious intent, leads to millions of people being hacked and their information stolen.Īvast’s CCleaner software had a backdoor encoded into it by someone who had access to the supply chain. You may have the most up to date cyber security software, but when the software you are trusting to keep you protected gets infected there is a problem. Recently, there have been a few attacks with a supply chain infection, such as Shadowpad being implanted in many of Netsarang’s products, affecting millions of people. This backdoor retrieves an IP from data stegged into a or search, from which an additional PE module is downloaded and run.Check out our follow up blog here: Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers Within the registry is a lightweight backdoor module which is run by the trojanized files. This may complicate detection on some systems since the executable files are never stored directly on the file system. This PE performs queries to additional C2 servers and executes in-memory PE files. The purpose of the trojanized binary is to decode and execute this PE in registry. HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 Additionally, the setup put an encoded PE in the registry :
Dll ccleaner malware Patch#
None of the files that are dropped are signed or legitimate.Įffectively, they patch a legitimate binary to package their malware. The 圆4 version drops a trojanized EFACli64.dll file named SymEFA which is the filename taken from a legitimate executable that is part of "Symantec Endpoint". The x86 version is using a trojanized TSMSISrv.dll, which drops VirtCDRDrv (which matches the filename of a legitimate executable that is part of Corel) using a similar method to the backdoored CCleaner tool. This installer checks the OS version and then drops either a 32-bit or 64-bit version of a trojanized tool. The stage 2 installer is GeeSetup_x86.dll.
