26 September 2017

Pin It

In Depth Avast Publishes Full List of Companies Affected by CCleaner Second-Stage Malware

In Depth Investigation Avast Publishes Full List of Companies Affected by CCleaner Second-Stage Malware

Hackers compromised the CCleaner infrastructure in July, and between August 15 and September 12, the official CCleaner website offered a version of the app that was infected with malware.

Avast acquired Piriform, the maker of CCleaner, on July 18, 2017
The compromise may have started on July 3rd. The server was provisioned earlier in 2017 and the SSL certificate for the respective https communication had a timestamp of July 3, 2017.

Avast suspect that Piriform was being targeted while they were operating as a standalone company, prior to the Avast acquisition.

The compromised version of CCleaner was released on August 15 and went undetected by any security company for four weeks, underscoring the sophistication of the attack.

As only two smaller distribution products (the 32 bit and cloud versions, Windows only) were compromised, the actual number of users affected by this incident was 2.27M.

Avast first learned about the possible malware on September 12, 8:35 AM PT from a company called Morphisec which notified Avast about their initial findings.
Morphisec also notified Cisco.
Following the receipt of this notification, Avast launched an investigation immediately, and by the time the Cisco message was received (September 14, 7:25AM PT), Avast had already thoroughly analyzed the threat, assessed its risk level and in parallel worked with law enforcement in the US to properly investigate the root cause of the issue.

Following that, the offending CnC server was taken down on September 15, 9:50 AM PT, following Avast collaboration with law enforcement.

During that time, the Cisco Talos team, who has been working on this issue in parallel, registered the secondary DGA domains before Avast had the chance to. With these two actions, the server was taken down and the threat was effectively eliminated as the attacker lost the ability to deliver the payload.

Next Avast released a fixed version 5.33.6163, identical to 5.33.6162 but with the backdoor removed, and pushed this version as a lightweight automatic update to CCleaner users where it was possible, further reducing the number of impacted customers.

Avast notified the remaining users to upgrade to the latest version of the product as soon as possible free version doesn’t contain the auto-update functionality

Avast said that restoring the affected machines to the pre-August 15 state unnecessary. By similar logic, security companies are not usually advising customers to reformat their machines after a remote code execution vulnerability is identified on their computer.

Following the take-down of the CnC server and getting access to its data, the Avast Security Threat Labs team has been working around the clock to investigate the source and other details of the recent Piriform CCleaner attack.

To recap, the attack affected a total of 2.27M computers between August 15, 2017 and September 15, 2017 and used the popular PC cleaning software CCleaner version 5.33.6162 as a distribution vehicle.

First of all, analysis of the data from the CnC server has proven that this was an APT (Advanced Persistent Threat) programmed to deliver the 2nd stage payload to select users. Specifically, the server logs indicated 20 machines in a total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for little over three days, the actual number of computers that received the 2nd stage payload was likely at least in the order of hundreds.

At the time the server was taken down, the attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany and the US.

The 2nd stage payload is a relatively complex piece of code that uses two components (DLLs). The first component contains the main business logic. As with the first payload, it is heavily obfuscated and uses a number of anti-debugging and anti-emulation tricks.

Much of the logic is related to the finding of, and connecting to, yet another CnC server, whose address can be determined using three different mechanisms:
1) an account on GitHub,
2) an account on WordPress,
3) a DNS record of a domain get.adxxxxxx.net (name modified here).

Subsequently, the address of the CnC server can also be arbitrarily modified in the future by sending a special command, recognized by the code as a signal to use the DNS protocol (udp/53) to get the address of the new server.

Where did the CCleaner Hackers attackers came from?
To figure out who the attackers were, Avast looked for any breadcrumbs the attackers might have left As Costin Raiu pointed out on Twitter there are some striking similarities between the code injected into CCleaner and APT17/Aurora malware created by a Chinese APT group in 2014/2015.

Indeed, the similarity between the code linked to group APT17 and the recent payload is quite high.

further investigation revealed that the attackers backed up the data from the crashed CnC server to another server before rebuilding the database.

The server’s IP address was, it featured the same self-signed SSL certificate (issued for speccy.piriform.com) and stack-wise, had a typical “LAMP” configuration: CentOS release 6.9 with Apache 2.2.15, PHP 5.3.3, but most importantly, a MySQL database that turned out to contain data going back to August 18. Access to this backup server allowed Avast to assemble what Avast believe is the complete database (the only missing piece is a 40-hour window between 2017-09-10 19:03:18 and 2017-09-12 9:58:47 UTC, i.e. between the crash of the original CnC DB and the creation of the new one; it is not clear how the CnC server behaved in that period).

The main findings from the complete database are as follows:
The total number of connections to the CnC server was 5,686,677.

The total number of unique PCs (unique MAC addresses) that communicated with the CnC server was 1,646,536.

The total number of unique PCs that received the 2nd stage payload was 40.

where the attacker was connecting from to the CnC server
Most of the connections came from Japanese networks. Although these addresses are likely just infected PCs and servers used as proxies, it suggests that the attackers might be familiar with Asian networks. The list of targeted companies contained quite a few Asian companies but none from China. Lastly, the time zone in the PHP scripts feeding the database were set to PRC (People’s Republic of China) although the system clock is in UTC.

In total, the operator connected to the server 83 times (plus 17 more times to the backup server), to do various things from installing and setting up the systems to monitoring it and resolving respective issues, such as to fix the crashed database. Which made us think that this was in fact someone’s ‘day job’. The hypothesis was further supported by the fact that there were many fewer connections to the server on Saturdays, and almost no connections on Sundays.

Given the typical working day starts at 8AM or 9AM, this leads us to the most likely location of the attacker in the time zone UTC + 4 or UTC + 5, leading us to Russia or the eastern part of Middle East / Central Asia and India. Furthermore, given the clear lack of traffic on Saturdays and Sundays, it would indicate that it wasn’t an Arabic country.

Another possible explanation is that there were multiple people involved in the operation, each working from a different time zone.

It is worth noting that, despite there being a large number of tech / telco companies in China, Russia and India, there are no companies from these countries on the list of companies targeted by this attack.

Avast also says that after analyzing all the logins on the two servers, the login activity pattern fits a person living in the Eastern Russia, China, and India time zones.

Hackers installed a new server on September 12, which Avast, with the help of law enforcement, seized on September 15. The IP address of this main server was

Avast said that after more digging around they were able to find a second server where hackers sent a backup of the original database before reinstalling the server and starting from scratch.

Avast said this second server was located at, on the same hosting provider as the first. ServerCrate, the hosting provider, provided support and made available the second server to Avast.

Last week, investigators didn't reveal what companies were affected. In a table published today, Avast went public with this information

According to the table most infected hosts 13 computers are on the network of Chunghwa Telecom, a Taiwanese ISP.

Second on the list is Japanese IT company NEC with 10, followed by Samsung with 5.

ASUS, Fujitsu, and Sony had two computers infected with the second-stage payload, while Avast found one infected computer on the network of IPAddress.com, O2, Gauselmann, Singtel, Intel, and VMWare.

Below is the complete list of companies / domains affected, together with the number of impacted PCs:

Reality views by sm –

Tuesday, September 26, 2017

Tags – CCleaner Malware Hack Avast September August