Collect data about the computer (Operating system, computer name, DNS domain, running processes, etc)ģ. Tries an anti-debug technique using time and IcmpSendEcho to waitĢ.
DLL CCLEANER MALWARE SOFTWARE
Next, the entire PE header is overwritten with 0’s, a mechanism to destroy the PE header tricking security software into not realizing this module is malicious, and after the malicious code begins execution.ġ. The relocation table is read to adjust the module to the base address of the allocated memory region, the import table is read, the necessary libraries are loaded, and the import address table is filled with the correct addresses of the imports.
GetProcAddress to get the addresses of external necessary functions, LoadLibraryA to load necessary modules into memory and get the address of the location of the module in memory, VirtualAlloc to create memory for somewhere to copy the memory, and in some cases, when not implemented, and memcpy to copy the buffer to the newly allocated memory region.Īfter the module is copied to memory, to load it properly, the proper loading procedure is executed. The PE loader first begins by resolving the addresses of imports commonly used by loaders and calling them. Data is read from the PE header, from a module created by the malware author. A PE file loader basically emulates the process of what happens when you load an executable file on Windows. The flow-graph of the malicious CCleaner is as follows (taken from the Talos report):Īfter the embedded code is decrypted and executed, the next step is a PE (portable executable) file loader. The infected CCleaner file that begins the analysis is from 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9Ī technical analysis was posted by Talos here ( ). The previous attacks are attributed to a Chinese group called PLA Unit 61398.
Operation Aurora started in 2009 and to see the same threat actor still active in 2017 could possibly mean there are many other supply chain attacks by the same group that we are not aware of. In this case, they probably were able to hack CCleaner’s build server in order to plant this malware. APT17, also known as Operation Aurora, is one of the most sophisticated cyber attacks ever conducted and they specialize in supply chain attacks. The code in question is a unique implementation of base64 only previously seen in APT17 and not in any public repository, which makes a strong case about attribution to the same threat actor. With our technology, we can compare code to a huge database of malicious and trusted software - that’s how we can prove that this code has never been seen before in any other software.Ī deeper analysis leads us to the functions shown below. The photo below is the result of uploading the CCBkdr module to Intezer Analyze™, where the results show there is an overlap in code. Using Intezer Analyze™, we were able to verify the shared code between the backdoor implanted in CCleaner and earlier APT17 samples. The malware injected into #CCleaner has shared code with several tools used by one of the APT groups from the #Axiom APT 'umbrella'. The official statement from Avast can be found here The Big Connection:Ĭostin Raiu, director of Global Research and Analysis Team at Kaspersky Lab, was the first to find a code connection between APT17 and the backdoor in the infected CCleaner: Through somewhere that had access to the source code of CCleaner, the main executable in v had been modified to include a backdoor. A backdoor, inserted into legitimate code by a third party with malicious intent, leads to millions of people being hacked and their information stolen.Īvast’s CCleaner software had a backdoor encoded into it by someone who had access to the supply chain. You may have the most up to date cyber security software, but when the software you are trusting to keep you protected gets infected there is a problem. Recently, there have been a few attacks with a supply chain infection, such as Shadowpad being implanted in many of Netsarang’s products, affecting millions of people. Check out our follow up blog here: Evidence Aurora Operation Still Active Part 2: More Ties Uncovered Between CCleaner Hack & Chinese Hackers
0 kommentar(er)
