This blog was written by Stan Golubchik.
On Monday, security researchers in Cisco’s Talos division revealed that the ever popular, free computer clean up tool CCleaner had been compromised for at least the past month. Hackers utilized a backdoor vulnerability through the software’s updating system into the application. With an estimated installation base of 2.27 million, which highlights the pervasiveness of the application and the potential customers who could be susceptible to a breach, this could bloom into a widespread issue.
This is an atypical scenario as CCleaner has been a trusted application by users. By exploiting the trust relationship established between this commonly known good application, attackers can tap into the inherited trusted web servers which host and distribute updates.
Taking a quick glimpse at VirusTotal, it’s apparent that most endpoint vendors have not caught on to the compromised application. Luckily those with McAfee defenses including McAfee Advanced Threat Defense (ATD), the advanced sandbox, could thwart the obfuscated malicious activity within the ever trusted CCleaner.
Without the requirement of amending a blacklist or a DAT update, ATD could detect malicious behavior in the latest version of 5.34 of CCleaner. ATD provides manual investigation by allowing the user an interactive window, or X-mode, into the VM which detonates the sample for analysis. Looking at the Threat Analysis Report generated after the application was analyzed, compelling evidence can be observed on the true intent of the application.
So exactly what behavior was exhibited as malicious and tagged with such a high severity? As stated earlier, attackers have exploited the trust between the update mechanism in the application with the web servers from which the updates are pulled. Looking at the Dynamic Analysis, it’s apparent that the application was attempting to download content from a suspicious webserver. Also, there is an action that describes the intent of the file to behave as ransomware would.
X-mode allows the ATD user to interact with the program while it’s running isolated within the virtual analysis environment. In addition to simply installing, executing, and running the application, the user can perform tasks in CCleaner to emulate real world behavior to reveal any evasive and latent code. As seen from the screenshot provided in the report, the application’s functionality can be triggered and monitored in an isolated environment to prevent any propagation of the threat.
Additionally, other behavioral awareness indicators can be observed through the report, providing a more thorough analysis and confident assessment of the intent of the application. These include embedded and dropped content, file operations, and network activity.
CCleaner has historically been a reliable tool in sweeping up and cleaning a machine’s unwanted temporary files and invalid Windows registry entries. Reliability that’s trusted by millions. Through the exploitation of this trust-based relationship between the application and users, attackers could successfully utilize a method to infiltrate and potentially compromise victim machines. This is where advanced malware detection capabilities demonstrate their true value. McAfee Advanced Threat Defense swept up the unwanted files and cleaned house. Even your trusty broom needs a good cleaning occasionally.