CCleaner is a PC cleaning tool developed by Piriform, acquired by antivirus (AV) provider Avast in June of 2017. In September of 2017, security researchers at Cisco Talos and Morphisec disclosed CCleaner had been compromised. The 5.33 version of CCleaner had widespread distribution across multiple industries, but the embedded code appeared to be targeted at specific groups in the technology sector.

It was infected with a modified __scrt_common_main_seh function that routed the execution flow to a custom function that decoded and loaded a malware.

  • The infection took place before the entry point (EP) of the tool. The new execution flow lead to a function that decoded a blob of data.
  • The result of the decoding was some shellcode and a payload.
  • The program then created an executable memory heap, copied the shellcode on the heap, and executed it.
  • The shellcode was responsible for loading the payload in memory.
  • Once the payload was copied to newly allocated memory, the shellcode resolved the needed API’s, and called the OEP (original entry point) of the payload in memory.
  • The payload created a thread that performed the core functionality of the malware.
  • First it made some steps to guard against debugging and/or sandboxing.
  • It checked that the current user is member of the administrator’s group.
  • The malware also checked the privilege levels of its own process; if the process did not have administrative privileges, it set debug privileges.
  • The malware then checked for the registry keys HKLM\SOFTWARE\Piriform\Agomo\TCID and HKLM\SOFTWARE\Piriform\Agomo\MUID.
  • Once the checks were completed, the malware gathered information about the victim machine: OS major version, OS minor version, OS architecture, Computer name, Computer DNS domain, IPv4 addresses associated with the machine, installed applications, and full name of the executable image of each running process.
  • This information was encoded and stored in a data structure in memory.
  • The information was sent to C&C servers in an inconspicuous and hard to detect way.

The intent behind the injected packages was to collect an initial set of reconnaissance data.

The mitigation that followed was an update to CCleaner that removed the injected codes.