CCleaner v5.33 infected [split topic]

Well said !!! :-TU

Cisco apparently seems to have adorned with false feathers !!!

Some more Avast Statments :

"The compromised version of CCleaner was released on August 15 and went undetected by any security company for four weeks, underscoring the sophistication of the attack. In our view, it was a well-prepared operation and the fact that it didn’t cause harm to users is a very good outcome, made possible by the original notification we received from our friends at security company Morphisec (more on this below) followed by a prompt reaction of the Piriform and Avast teams working together. We continue to be actively cooperating with law enforcement units, working together to identify the source of the attack."

[...] 

"Avast first learned about the possible malware on September 12, 8:35 AM PT from a company called Morphisec which notified us about their initial findings. We believe that Morphisec also notified Cisco. We thank Morphisec and we owe a special debt to their clever people who identified the threat and allowed us to go about the business of mitigating it. Following the receipt of this notification, we launched an investigation immediately, and by the time the Cisco message was received (September 14, 7:25AM PT), we had already thoroughly analyzed the threat, assessed its risk level and in parallel worked with law enforcement in the US to properly investigate the root cause of the issue."

[...] 

“BTW, I have to say I was quite disappointed by the approach taken by the Cisco Talos team who appears to be trying to use information about this incident to drive marketing activities and piggyback on the case to increase the visibility of their upcoming product. And, I should probably also say that it wasn’t Cisco who first notified us about the problem. The threat was first discovered and reported to us by researchers in a security company called Morphisec (thank you!). The threat was real, but to the best of our knowledge, it was fortunately mitigated before it could do any harm.”

CCleaner Malware second payload discovered

and the researchers suggest strongly that it may not be enough to simply update CCleaner to get rid of the malware.

Attention!

The following information helps identify if a stage 2 payload has been planted on the system.

The 32-bit trojan is TSMSISrv.dll, the 64-bit trojan is EFACli64.dll.

Identifying Stage 2 Payloads

Registry Keys:

HKLM\Software\Microsoft\Windows NT\CurrentVersion\[b]WbemPerf[/b]\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\[b]WbemPerf[/b]\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\[b]WbemPerf[/b]\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\[b]WbemPerf[/b]\004
HKLM\Software\Microsoft\Windows NT\CurrentVersion\[b]WbemPerf[/b]\HBP

Files:

GeeSetup_x86.dll (Hash: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83)
EFACli64.dll (Hash: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f )
TSMSISrv.dll (Hash: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 )

DLL in Registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a
Stage 2 Payload: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83</blockquote>

“I had a panic attack because I do have WbemPerf in registry” ;D it is empty.

It seems Symantec added signatures of 2nd payload 50mins ago

Hello,
Still on the same subject:

Cisco Talos Intelligence researchers have discovered a second malware in the corrupted version of CCleaner. In addition to updating the software, they recommend restoring your PC.
Like a second layer inside. The second floor of a particularly vicious rocket. Earlier this week, security researchers at Cisco Talos Intelligence revealed that CCleaner’s widely used “cleaning” software has been stealing a backdoor since mid-August. The malicious code appeared to have been placed there after an intrusion on Piriform’s network, publisher of the software. An upgrade to a cleaner and more recent version was strongly recommended.
Today, these same researchers are publishing a new document that contains the fruit of their ongoing investigation. Bad surprise, there was not one but two malicious “loads” in CCleaner. If Piriform strongly encourages the users of its program to carry out a new update, the advice of the researchers of Talos Intelligence goes a little further than that.
Go back, emergency

“Those affected by this attack should not simply remove the affected version of CCleaner or update it for the latest version,” they explain. Why ? Because after a first, then a second stage, the descent to the Underworld could continue. In fact, the contaminated computers may be by more than two malware now.
CCleaner users concerned “must restore from a backup or a system image to ensure that they have completely removed not only the version of CCleaner containing the backdoor but any other malware that may reside on the system.”

In other words, the message is clear, it will have to go back in time, before August 15 and before you have installed the corrupted update (v 5.33 and following). Taking into account the figures provided by Pirifom, CCleaner records five million installations a week. It can therefore be estimated that about 30 million corrupted versions have been installed. Precautions are therefore necessary.
For September 12-16 alone, the Main Malware Control Center database indicated that just over 700,000 contaminated machines had logged in to take their orders. On the other hand, only about 20 PCs would have received the second malware, still during this period.

Some evidence of contamination
For the most worried of you, it is possible to find clues that will allow you to know if your machine is contaminated. First, registry keys are added by the Trojan from the second task.

HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WbemPerf \ 001
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WbemPerf \ 002
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WbemPerf \ 003
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WbemPerf \ 004
HKLM \ Software \ Microsoft \ Windows NT \ CurrentVersion \ WbemPerf \ HBP

Moreover, you should also find traces of the specific files below.

GeeSetup_x86.dll dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
EFACli64.dll (Trojan horse in 64 bit version) 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f
TSMSISrv.dll (the 32-bit Trojan horse) 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902
f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

DLL in the registry:
f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a
Second charge:
dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83

In order to determine if a machine is infected, the following should be checked:
If an affected version is installed on the machine, the presence of the Windows registry key HKLM \ SOFTWARE \ Piriform can be verified on the system.
In case of compromise the machine will have communicated to the address ip 216.126.225.148_BAD_ or to one of the following domains:

• ab6d54340c1a [.] Com.BAD
• aba9a949bc1d [.] Com.BAD
• ab2da3d400c20 [.] Com.BAD
• ab3520430c23 [.] Com.BAD
• ab1c403220c27 [.] Com.BAD
• ab1abad1d0c2a [.] Com.BAD
• ab8cee60c2d [.] Com.BAD
• ab1145b758c30 [.] Com.BAD
• ab890e964c34 [.] Com.BAD
• ab3d685a0c37 [.] Com.BAD
• ab70a139cc3a [.] Com.BAD

If this is the case, the machine must be considered as potentially compromised and restored to a state prior to August 15, 2017, or preferably completely re-imaged

If these items are on your machine, you can only restore a backup or image of your operating system that was established before August 15th.

prior to 15 August.

A whole new dimension
The second discovery load also revealed that the malware targets specific companies, in order to steal sensitive data, according to all logic. The names of Cisco, Microsoft, Samsung, HTC and Sony are also found. But this list would have evolved over time and the life of this malware, advances Talos Intelligence, which specifies that several hundred machines dependent on government domain names have also been targeted.

This new information is even more worrying to security researchers because it identifies a “possibly unknown” actor with significant resources. Is this a group of hackers backed by a state or a big industrialist? Talos Intelligence does not say so. It is just stated in its communication that one of the files found on malware control center servers refers to the time zone of the People’s Republic of China.

Engineers are careful not to say that this can not be enough to attribute this attack to Chinese hackers. Obviously.

Zorkas, I spilt and merged your topic with this topic. It’s better suited here.

In this forum post from the Avast forums Avast explains the situation and why a reformat was not deemed necessary:

At the same time, we wanted to understand whether the second stage payload could have already activated before the threat was discovered. Now, the good thing is that about 30% of CCleaner users also run Avast security software, which allowed us to analyze behavioral, traffic and file/registry data from those machines. Based on this analysis, we can say with high confidence that to the best of our knowledge, the second stage payload never activated, i.e. the only malicious code present on customer machines was the one embedded in the ccleaner.exe binary itself. We also asked our colleagues from other security companies, but haven't heard anyone seeing anything suspicious either. And that's great news, as it means that despite the high sophistication of the attack, we managed to disarm the system before it was able to do any harm. To that end, we don't consider the advice to reformat and/or restore the affected machines to the pre-August 15 state to be based on facts (by similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer, just because there was a hypothetical possibility that something might have gotten in).

BTW, I have to say I was quite disappointed by the approach taken by the Cisco Talos team who appears to be trying to use information about this incident to drive marketing activities and piggyback on the case to increase the visibility of their upcoming product. And, I should probably also say that it wasn’t Cisco who first notified us about the problem. The threat was first discovered and reported to us by researchers in a security company called Morphisec (thank you!). The threat was real, but to the best of our knowledge, it was fortunately mitigated before it could do any harm.

In-Depth Analysis of the CCleaner Backdoor Stage 2 Dropper and Its Payload !