The latest malware attack embedded in the PC Utility Program, Ccleaner, reportedly came from the same group who planned the 2009 Operating Aurora. This hacker group comes with different names: APT 16, Group 72, Axiom, Aurora, and APT 17 -- the same group behind Aurora.
According to tech website WCCFTech.com, at least over 2.2 million users of CCleaner out of more than one billion users have been infected. This number only represents the affected users who used the modified version (5.33.6162) of this popular PC utility program used to clean unwanted files between Aug.
15, 2017, and Sept. 15, 2017.
Collecting data from companies
Cisco’s Talos research group meticulously dissected each and every instance of the attack and revealed that at least 20 companies were targeted by the latest malware attack using CCleaner. The tech companies include HTC, Samsung, Sony, VMWare, Intel, Microsoft, O2, Vodafone, Linksys, Epson, MSI, Google, D-Link, and even Cisco. The list also includes gaming and gambling company, Gauselmann.
Talos admitted that the creation of this malware was very sophisticated and organized and composed of two stages. During the first stage, they devised a detection process that will validate the visitor’s information using a symbolic link or symlink.
In this way, the server can redirect visitors to the real Piriform website where they can download the real CCleaner file, or to the “x.php” file which contains the malicious CCleaner version.
.researchers have a better, simpler way to put these explanations into words. According to them, “This was a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were.”
Talos also noted that the malicious web server also contains a second PHP file (init.php) which carries core variables and operations to be used in their malicious operation.
What is interesting in this code is that the configuration listed “PRC” as the time zone. PRC stands for People's Republic of China (PRC).
Delivering the malware
After the server detected which visitor should be infected by the malicious CCleaner version, the process enters Stage 2. In this phase, the attackers load and execute the payload on the system of the hapless victim.
According to Avast, the Stage 2 installer is GeeSetup_x86.dll.
Like in Stage 1, it will collect the information of the system like the operating system version. In this way, it can decide whether to install a 32-bit or 64-bit version of the malicious CCleaner version. To cover any trace, the hackers designed a legitimate binary and encoded a PE in the registry to look unmaliciously.
Since the executable files of CCleaner reside on the server and not on the file system, it makes detection of the malware a little more complicated. With the binary and PE now in place, queries and in-memory execution of PE files can now be redirected to the malicious server. In simple terms, a data collection is now in place.
Malware removal
According to Talos, uninstalling and removing the affected CCleaner version cannot ensure the removal of the malware. To completely remove the malicious version of this PC utility program, one should restore from an earlier backup before the attack happened. This would also ensure the removal of the initial malware during the first stage of the attack.
These security firms believe that the malware’s target is centered on industrial espionage based on the first stage of the attack. However, precautionary measures still remain the best defense from malicious attacks.
