CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. Luckily with tools like AMP the additional visibility can usually help direct attention to the initial vector. Frequently, as with Nyetya, the initial infection vector can remain elusive for quite some time. The Nyetya worm that was released into the wild earlier in 2017 showed just how potent these types of attacks can be. This trust relationship is then abused to attack organizations and individuals and may be performed for a number of different reasons. This is because with supply chain attacks, the attackers are relying on the trust relationship between a manufacturer or supplier and a customer. Supply chain attacks are a very effective way to distribute malicious software into target organizations. Update 9/20: Continued research on C2 and payloads can be found here: /ccleaner-c2-concern Introduction
There was no analysis performed on the selected addresses beyond that they could be combined to create the destination. The resulting two A record IP addresses were then assigned to the DNS configuration. With the remaining bits of the destination address to create the second A record. The remaining 16 random bits were combined 16 bits of that were combined with 16 bits of the destination address to create the first A record. To control the connections Talos has to create two IPs such that they can be fed into the application to resolve to the sinkhole IP.ģ2 bits of random data were generated. The true destination IP is then computed and connected to. Generating a Monthly Domain name (all of which are controlled by Talos for 2017)īits of the true destination IP are encoded in the first A record, 16 bits are encoded in the second A recordĤ. The fallback command and control scheme in use by the CCBkdr involves:ġ. Update 9/19: There has been some confusion on how the DGA domains resolve.
Update 9/19: This issue was discovered and reported by both Morphisec and Cisco in separate in-field cases and reported separately to Avast. Update 9/18: CCleaner Cloud version is also reported to be affected
0 kommentar(er)
