A new report by Cisco's Talos Group suggests that the CCleaner hack was more sophisticated than initially thought. The researchers found evidence of a second payload during their analysis of the malware which targeted very specific groups based on domains.

On September 18, 2017 Piriform reported that the company's infrastructure distributed a malicious version of the file cleaning software CCleaner for about a month.

The company's infrastructure was compromised, and users who downloaded version 5.33 of CCleaner from the website or used automatic updates to install it, got the infected version on their system.

We talked about methods to identify if an infected version is installed on the system. Probably the best indicator, apart from checking CCleaner's version, is to check for the existence of Registry keys under HKLM\SOFTWARE\Piriform\Agomo.

Piriform was quick to state that users could resolve the issue by updating to the new malware-free version of CCleaner.

A new report suggests that this may not be enough.

Talos Group found evidence that the attack was more sophisticated, as it targeted a specific list of domains with a second payload.

singtel.corp.root

htcgroup.corp

samsung-breda

samsung

samsung.sepm

samsung.sk

jp.sony.com

am.sony.com

gg.gauselmann.com

vmware.com

ger.corp.intel.com

amr.corp.intel.com

ntdev.corp.microsoft.com

cisco.com

uk.pri.o2.com

vf-es.internal.vodafone.com

linksys

apo.epson.net

msi.com.tw

infoview2u.dvrdns.org

dfw01.corp.akamai.com

hq.gmail.com

dlink.com

test.com

The researchers suggest that the attacker was after intellectual property based on the list of domains that belong to high profile tech companies.

Interestingly the array specified contains Cisco's domain (cisco.com) along with other high-profile technology companies. This would suggest a very focused actor after valuable intellectual property.

Talos Group suggested to restore the computer system using a backup that was created prior to the infection. The new evidence reinforces this, and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware.

These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.

The stage 2 installer is GeeSetup_x86.dll. It checks the version of the operating system, and plants a 32-bit or 64-bit version of the trojan on the system based on the check.

The 32-bit trojan is TSMSISrv.dll, the 64-bit trojan is EFACli64.dll.

Identifying Stage 2 Payloads

The following information helps identify if a stage 2 payload has been planted on the system.

Registry Keys:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP

Files:

GeeSetup_x86.dll (Hash: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83)

EFACli64.dll (Hash: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f )

TSMSISrv.dll (Hash: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 )

DLL in Registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

Stage 2 Payload: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

Summary Article Name CCleaner Malware second payload discovered Description A new report by Cisco's Talos Group suggests that the CCleaner hack was more sophisticated than initially thought. Author Martin Brinkmann Publisher Ghacks Technology News Logo

Advertisement