【概要】
- マルウェア感染しているバージョン
- CClerner version 5.33.6162 (32bit)
- CCleaner Cloud version 1.07.3191 (32bit) ⇒ バージョンアップ済み
- 配布日時
- 2017年8月15日~2017年9月12日
- 証明書
- あり(Piriform): Symantec発行
- 収集するデータ
- コンピュータ名
- インストールされているソフトウェアリスト
- プロセスリスト
- IPアドレス, MAC addresses
- 32bit/64bit
【タイムライン】
日時 | 内容 |
---|---|
2017/07/19 | AVAST が Piriform を買収 |
【関連記事(TT Malwware Log 内)】
◆チェコのセキュリティベンダーAVAST、「CCleaner」などの開発元Piriform社を買収 (窓の杜, 2019/07/20 09:23)
https://forest.watch.impress.co.jp/docs/news/1071434.html
◆CCleanup: A Vast Number of Machines at Risk (2017/09/18)
http://malware-log.hatenablog.com/entry/2017/09/18/000000_1
◆CCleaner Malware (2017/09/19)
http://malware-log.hatenablog.com/entry/2017/09/19/000000_7
◆人気クリーンソフト「CCleaner」、マルウェアに感染した状態で配布 (2017/09/19)
http://malware-log.hatenablog.com/entry/2017/09/19/000000_1
◆CCleaner Command and Control Causes Concern (2017/09/20)
http://malware-log.hatenablog.com/entry/2017/09/20/000000_3
◆マルウエアが仕込まれた「CCleaner」が配布されていた問題 (2017/09/20)
http://malware-log.hatenablog.com/entry/2017/09/20/000000
◆無料ソフト「CCleaner」へのハッカー攻撃、ハイテク大手も標的か (2017/09/21)
http://malware-log.hatenablog.com/entry/2017/09/21/000000
◆CCleanerにマルウェア混入。今すぐアップデートするべし (2017/09/22)
http://malware-log.hatenablog.com/entry/2017/09/22/000000
◆CCleanerのマルウェア混入問題はIntel・ソニー・Microsoftなど大企業を狙ったターゲット型攻撃だったと判明 (2017/09/22)
http://malware-log.hatenablog.com/entry/2017/09/22/000000_4
◆CCleanerマルウェア汚染、被害を受けた国・地域トップ10といくつかの謎 (2017/09/23)
http://malware-log.hatenablog.com/entry/2017/09/23/000000
◆Additional information regarding the recent CCleaner APT security incident (2017/09/25)
http://malware-log.hatenablog.com/entry/2017/09/25/000000
◆「CCleaner」悪用の攻撃者、NECや富士通、ソニーにマルウェアを配信か (2017/09/26)
http://malware-log.hatenablog.com/entry/2017/09/26/000000_8
【ニュース】
◆人気クリーンソフト「CCleaner」、マルウェアに感染した状態で配布 (マイナビニュース, 2017/09/19)
http://news.mynavi.jp/news/2017/09/19/188/
◆Windows用システムクリーナーソフト「CCleaner」、v5.33にマルウエア (マイナビニュース, 2017/09/19)
http://news.mynavi.jp/news/2017/09/19/049/
◆CCleanerの公式ファイルが改ざんされマルウェア入りの状態でダウンロード配布される (Gigazine, 2017/09/19 12:35)
http://gigazine.net/news/20170919-ccleaner-malware/
◆Warning: CCleaner Hacked to Distribute Malware; Over 2.3 Million Users Infected
http://thehackernews.com/2017/09/ccleaner-hacked-malware.html
◆Avast傘下の「CCleaner」にマルウェア混入、正規ルートで配信 (ITmedia, 2017/09/19 08:15)
システムクリーナーソフト「CCleaner」の正規版が改ざんされてマルウェアを仕込まれ、正規のダウンロードサーバを通じて配布されていたことが分かった
http://www.itmedia.co.jp/enterprise/articles/1709/19/news051.html
◆人気のPC最適化ソフト「CCleaner」にマルウェアが仕込まれる (Cnet, 2017/09/19 09:58)
https://japan.cnet.com/article/35107418/
◆システムメンテナンスツール「CCleaner」が改竄の被害、ユーザー情報を外部送信 (窓の杜, 2017/09/19 07:35)
Windows向け32bit版「CCleaner」v5.33にマルウェアが混入。227万人に影響
http://forest.watch.impress.co.jp/docs/news/1081368.html
◆無料システムクリーナーソフト「CCleaner」にハッカー攻撃 (ロイター, 2017/09/19 10:58)
http://jp.reuters.com/article/security-avast-idJPKCN1BU04V
◆Avast子会社のシステム最適化ツールにバックドア – 227万人に影響 (Security NEXT, 2017/09/19)
http://www.security-next.com/085902
◆Security warning: Hackers compromised CCleaner and installed a backdoor (betanews, 2017/09/18)
https://betanews.com/2017/09/18/ccleaner-hacked-backdoor/
◆Avast opens up about CCleaner hack and outlines how it will protect users (betanews, 2017/09/19)
https://betanews.com/2017/09/19/avast-ccleaner-hack/
◆Avast! There’s malware in that CCleaner software update (ars Technica, 2017/09/19 12:08)
https://arstechnica.com/information-technology/2017/09/backdoor-malware-planted-in-legitimate-software-updates-to-ccleaner/
◆無料ソフト「CCleaner」へのハッカー攻撃、ハイテク大手も標的か (ロイター, 2017/09/21 11:31)
http://jp.reuters.com/article/security-avast-idJPKCN1BW094
◆ハイテク大手も標的か? 無料ソフト「CCleaner」へのハッカー攻撃 (マイナビニュース, 2017/09/21)
http://news.mynavi.jp/news/2017/09/21/092/
◆「CCleaner」のマルウェア混入は標的型攻撃か--ソニーなどが対象リストに (ZDNet, 2017/09/21 15:02)
https://japan.zdnet.com/article/35107587/
◆人気のPC最適化ソフト「CCleaner」にマルウエア混入、正規のデジタル署名で配布 (ITPro, 2017/09/21)
http://itpro.nikkeibp.co.jp/atcl/news/17/092102292/?rt=nocnt
◆CCleanerマルウェア汚染、被害を受けた国・地域トップ10といくつかの謎 (マイナビニュース, 2017/09/23)
http://news.mynavi.jp/news/2017/09/23/095/
【公開情報】
◆CCleanup: A Vast Number of Machines at Risk (TALOS, 2017/09/18)
http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html
◆Piriform - Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users
http://www.piriform.com/news/release-announcements/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
◆CCleaner Malware (IBM X-Force, 2017/09/19)
https://exchange.xforce.ibmcloud.com/collection/CCleaner-Malware-b76e23a6710956bd0782d55976e748ae
◆マルウエアが仕込まれた「CCleaner」が配布されていた問題 (JPCERT/CC, 2017/09/20)
http://www.jpcert.or.jp/newsflash/2017092001.html
◆SECURITY ADVISORY: CCLEANER MODIFIED BY SOPHISTICATED ATTACKER TO DELIVER MALICIOUS CODE
https://research.kudelskisecurity.com/2017/09/22/security-advisory-ccleaner-modified-by-sophisticated-attacker-to-deliver-malicious-code/
◆CCleaner distributes Backdoor-Malware (ScriptIn, 2017/09/20)
http://scriptin.info/ccleaner-distributes-backdoor-malware/
【ブログ】
◆Security Notification for CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 for 32-bit Windows users (piriform, 2017/09/18)
https://www.piriform.com/news/blog/2017/9/18/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users
◆Update to the CCleaner 5.33.6162 Security Incident (AVAST, 2017/09/19)
https://blog.avast.com/update-to-the-ccleaner-5.33.6162-security-incident
◆CCleaner Command and Control Causes Concern (Talos, 2017/09/20)
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html
◆Large technology and telecommunications companies were targeted (AVAST, 2017/09/21)
https://blog.avast.com/progress-on-ccleaner-investigation
◆CCleaner の マルウェアコードを解析してみた その1 (黒翼猫のコンピュータ日記 2nd Edition)
http://blog.livedoor.jp/blackwingcat/archives/1955679.html
◆CCleaner の マルウェアコードを解析してみた その2 (黒翼猫のコンピュータ日記 2nd Edition)
http://blog.livedoor.jp/blackwingcat/archives/1955680.html
◆CCleanerにマルウェアが混入した件についての備忘録 (元期間蟹工船員の戯言, 2017/09/22)
http://tdaitoku.hatenablog.com/entry/2017/09/22/072912
◆Additional information regarding the recent CCleaner APT security incident (AVAST, 2017/09/25)
https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident
【SNS】
◆Here's the dumped DLL from memory from the CCleaner backdoor (Bart, 2017/09/19)
https://www.virustotal.com/#/file/2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f/detection …
【関連まとめ記事】
◆Operation / キャンペーン (まとめ)
https://malware-log.hatenablog.com/entry/Operation
【インディケータ情報】
■ハッシュ情報(MD5)
- 2d29b4a7ca69060f23d3b63331fcc042
- 75735db7291a19329190757437bdb847
- d488e4b61c233293bec2ee09553d3a2f
- ef694b89ad7addb9a16bb6f26f1efaf7
- 04c940f8755ecfd89472dec010a27980
■ハッシュ情報(SHA256)
◇ 1st stage
- 04bed8e35483d50a25ad8cf203e6f157e0f2fe39a762f5fbacd672a3495d6a11 - CCleaner - installer (v5.33.0.6162)
- 0564718b3778d91efd7a9972e11852e29f88103a10cb8862c285b924bc412013 - CCleaner - installer (v5.33.0.6162)
- 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff - CCleaner - installer (v5.33.0.6162)
- 276936c38bd8ae2f26aab14abff115ea04f33f262a04609d77b0874965ef7012 - CCleaner - installer (v5.33.0.6162)
- 2fe8cfeeb601f779209925f83c6248fb4f3bfb3113ac43a3b2633ec9494dcee0 - CCleaner - installer (v5.33.0.6162)
- 3c0bc541ec149e29afb24720abc4916906f6a0fa89a83f5cb23aed8f7f1146c3 - CCleaner - installer (v5.33.0.6162)
- 4f8f49e4fc71142036f5788219595308266f06a6a737ac942048b15d8880364a - CCleaner - installer (v5.33.0.6162)
- 7bc0eaf33627b1a9e4ff9f6dd1fa9ca655a98363b69441efd3d4ed503317804d - CCleaner - installer (v5.33.0.6162)
- a013538e96cd5d71dd5642d7fdce053bb63d3134962e2305f47ce4932a0e54af - CCleaner - installer (v5.33.0.6162)
- bd1c9d48c3d8a199a33d0b11795ff7346edf9d0305a666caa5323d7f43bdcfe9 - CCleaner - installer (v5.33.0.6162)
- c92acb88d618c55e865ab29caafb991e0a131a676773ef2da71dc03cc6b8953e - CCleaner - installer (v5.33.0.6162)
- e338c420d9edc219b45a81fe0ccf077ef8d62a4ba8330a327c183e4069954ce1 - CCleaner - installer (v5.33.0.6162)
- 36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9 - CCleaner.exe (32-bit v5.33.0.6162)
- 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 - CCleaner.exe (32-bit v5.33.0.6162)
- a3e619cd619ab8e557c7d1c18fc7ea56ec3dfd13889e3a9919345b78336efdb2 - CCleanerCloud - installer (32-bit v1.7.0.3191)
- 0d4f12f4790d2dfef2d6f3b3be74062aad3214cb619071306e98a813a334d7b8 - CCleanerCloudAgent.exe (32-bit v1.7.0.3191)
- 9c205ec7da1ff84d5aa0a96a0a77b092239c2bb94bcb05db41680a9a718a01eb - CCleanerCloudAgentHealtCheck.exe (32-bit v1.7.0.3191)
- bea487b2b0370189677850a9d3f41ba308d0dbd2504ced1e8957308c43ae4913 - CCleanerCloudTray.exe (32-bit v1.7.0.3191)
- 3a34207ba2368e41c051a9c075465b1966118058f9b8cdedd80c19ef1b5709fe - 1st stage payload DLL found in CCleaner
- 19865df98aba6838dcc192fbb85e5e0d705ade04a371f2ac4853460456a02ee3 - 1st stage payload DLL found in CCleanerCloud
出典: AVAST (https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident)
◇2nd stage
- 7ac3c87e27b16f85618da876926b3b23151975af569c2c5e4b0ee13619ab2538 - loader of the 2nd stage payload (32-bit)
- a414815b5898ee1aa67e5b2487a11c11378948fcd3c099198e0f9c6203120b15 - loader of the 2nd stage payload (64-bit)
- 3a34207ba2368e41c051a9c075465b1966118058f9b8cdedd80c19ef1b5709fe - 2nd stage payload DLL (GeeSetup_x86.dll)
- 4ae8f4b41dcc5e8e931c432aa603eae3b39e9df36bf71c767edb630406566b17 - 32-bit DLL dropped from the 2nd stage payload
- 4ae8f4b41dcc5e8e931c432aa603eae3b39e9df36bf71c767edb630406566b17 - 64-bit DLL dropped from the 2nd stage payload
- A6c36335e764b5aae0e56a79f5d438ca5c42421cae49672b79dbd111f884ecb5 - inner DLL of the 2nd stage payload (32-bit)
- B3badc7f2b89fe08fdee9b1ea78b3906c89338ed5f4033f21f7406e60b98709e - inner DLL of the 2nd stage payload (64-bit)
出典: AVAST (https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident)
◇上記以外
- 2bc2dee73f9f854fe1e0e409e1257369d9c0a1081cf5fb503264aa1bfe8aa06f
- dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
- 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f
- 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902
■ドメイン情報 [DGA (used by the 1st stage payload)]
- ab8cee60c2d.com - valid for 2017-08
- ab1145b758c30.com - valid for 2017-09
- ab890e964c34.com - valid for 2017-10
- ab3d685a0c37.com - valid for 2017-11
- ab70a139cc3a.com - valid for 2017-12
- ab3c2b0d28ba6.com - valid for 2018-01
- ab99c24c0ba9.com - valid for 2018-02
- ab2e1b782bad.com - valid for 2018-03
- ab253af862bb0.com - valid for 2018-04
- ab2d02b02bb3.com - valid for 2018-05
- ab1b0eaa24bb6.com - valid for 2018-06
- abf09fc5abba.com - valid for 2018-07
- abce85a51bbd.com - valid for 2018-08
- abccc097dbc0.com - valid for 2018-09
- ab33b8aa69bc4.com - valid for 2018-10
- ab693f4c0bc7.com - valid for 2018-11
- ab23660730bca.com - valid for 2018-12
出典: AVAST (https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident)
- ab6d54340c1a.com (2017/02)
- aba9a949bc1d.com (2017/03)
- ab2da3d400c20.com (2017/04)
- ab3520430c23.com (2017/05)
- ab1c403220c27.com (2017/06)
- ab1abad1d0c2a.com (2017/07)
- ab8cee60c2d.com (2017/08)
- ab1145b758c30.com (2017/09)
- ab890e964c34.com (2017/10)
- ab3d685a0c37.com (2017/11)
- ab70a139cc3a.com (2017/12)
出典: TALOS (http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html)
■IPアドレス情報
- 216.126.225.148
- 216.126.225.163 (backupサーバー)
出典: AVAST (https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident)
■URL情報
- get.adoble[.]com
- hxxps://github[.]com/search?q=joinlur&type=Users&u=✓
- hxxps://en.search.wordpress[.]com/?src=organic&q=keepost
出典: AVAST (https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident)
■生成ファイル
- C:\Windows\system32\lTSMSISrv.dll (SessionEnv サービス)
- C:\Windows\system32\spool\prtprocs\w32x86\localspl.dll (Spooler サービス)
出典: AVAST (https://blog.avast.com/progress-on-ccleaner-investigation)
■Windows Registry
- HKLM\SOFTWARE\Piriform\Agomo\MUID - used by the 1st stage payload
- HKLM\SOFTWARE\Piriform\Agomo\NID - used by the 1st stage payload
- HKLM\SOFTWARE\Piriform\Agomo\TCID - used by the 1st stage payload
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP - used by the 2nd stage payload
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 - used by the 2nd stage payload
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\002 - used by the 2nd stage payload
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 - used by the 2nd stage payload
- HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 - used by the 2nd stage payload
出典: AVAST (https://blog.avast.com/progress-on-ccleaner-investigation)
出典: AVAST (https://blog.avast.com/additional-information-regarding-the-recent-ccleaner-apt-security-incident)
【マルウェア情報】
■6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9
MD5 | ef694b89ad7addb9a16bb6f26f1efaf7 |
SHA1 | 8983a49172af96178458266f93d65fa193eaaef2 |
SHA256 | 6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9 |
SHA512 | |
SSDEEP | 98304:K/IuhWF8V2T29N/78QsAYOj0exgPujgFPGctXLcaDR8:iWFmNT8QsHGkx95R8 |
authentihash | 2ad2a4ecb5a25e4d7e2a02a51436c94f63a3075985ef81dc01b017f3cb01ecd2 |
imphash | 0a2846d08c140716112b3f476b4f75f8 |
File Size | 7680216 bytes |
File Type | Win32 EXE |
コンパイル日時 | 2017-08-03 09:25:13 |
Debug Path | |
File Name | CCleaner.exe |
File Path | |
生成ファイル | |
特徴 | |
参考情報 | https://virustotal.com/en/file/6f7840c77f99049d788155c1351e1560b62b8ad18ad0e9adda8218b9f432f0a9/analysis/1505759040/ |
http://blog.livedoor.jp/blackwingcat/archives/1955680.html | |
http://blog.livedoor.jp/blackwingcat/archives/1955679.html | |
Piriform CCleaner Compromised by Multi-Stage Backdoor |
■1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
MD5 | 75735db7291a19329190757437bdb847 |
SHA1 | c705c0b0210ebda6a3301c6ca9c6091b2ee11d5b |
SHA256 | 1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff |
SHA512 | |
SSDEEP | 196608:ciooAZ5qcsTCea57oVHNJsrtNvAvgxL0+1BFxr6B3sdd/IfbZ6rM:cIAZU3Ba5+N0tNZx1nFxr6tGd/8f |
authentihash | ff1e1921f2ecf28032c96e37a8fd7acd5af5cf4c20902b476aed9d06321fbf15 |
imphash | 377a97652fdf5740d8cc11d5ce124fed |
File Size | 9791816 bytes |
File Type | Win32 EXE |
コンパイル日時 | 2015/12/29 21:34:49 |
Debug Path | |
File Name | ccsetup533.exe |
File Path | |
生成ファイル | |
特徴 | |
参考情報 | https://www.hybrid-analysis.com/sample/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff?environmentId=100 |
https://www.virustotal.com/ja/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff/analysis/ | |
■dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83
MD5 | |
SHA1 | |
SHA256 | dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 |
SHA512 | |
SSDEEP | |
authentihash | |
imphash | |
File Size | |
File Type | |
コンパイル日時 | |
Debug Path | |
File Name | GeeSetup_x86.dll |
File Path | |
生成ファイル | |
特徴 | CCleaner関連 |
参考情報 | http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html |
https://www.ghacks.net/2017/09/21/ccleaner-malware-second-payload-discovered/ | |
https://blog.avast.com/avast-threat-labs-analysis-of-ccleaner-incident |