If any of you use CCleaner and have updated one month ago, update it now. Previous version 5.33 (ccsetup533.exe) had a trojan allowing backdoor access (Trojan.Floxif). Updating to the latest update version should remove it.

This infection was only present in the 32-bit binary, but if you do not know which one you have, update it anyway.

UPDATE: Users with 64-bit version have detected malware on their versions as well. ALL CCleaner users please update for security.

News sources:

http://www.tomshardware.com/news/avast-unknowingly-bundled-malware-ccleaner,35477.html

https://www.bleepingcomputer.com/news/security/ccleaner-compromised-to-distribute-malware-for-almost-a-month/

http://searchenterprisedesktop.techtarget.com/blog/Windows-Enterprise-Desktop/CCleaner-533-32-bit-Carries-Malicious-Payload


CCleaner's 2nd payload of malware has been found.

The Trojan.Floxif left other backdoors open. Check your systems for these binary files:

thehackernews.com님이 먼저 게시:

However, during the analysis of the hackers' command-and-control (C2) server to which the malicious CCleaner versions connected, security researchers from Cisco's Talos Group found evidence of a second payload (GeeSetup_x86.dll, a lightweight backdoor module) that was delivered to a specific list of computers based on local domain names.

[...]

Just removing the Avast's software application from the infected machines would not be enough to get rid of the CCleaner second stage malware payload from their network, with the attackers' still-active C2 server.
So, affected companies that have had their computers infected with the malicious version of CCleaner are strongly recommended to fully restore their systems from backup versions before the installation of the tainted security program.

blog.talosintelligence.com님이 먼저 게시:

Stage 2 Payloads

The stage 2 installer is GeeSetup_x86.dll. This installer checks the OS version and then drops either a 32-bit or 64-bit version of a trojanized tool. The x86 version is using a trojanized TSMSISrv.dll, which drops VirtCDRDrv (which matches the filename of a legitimate executable that is part of Corel) using a similar method to the backdoored CCleaner tool. The x64 version drops a trojanized EFACli64.dll file named SymEFA which is the filename taken from a legitimate executable that is part of "Symantec Endpoint". None of the files that are dropped are signed or legitimate.

Effectively, they patch a legitimate binary to package their malware. Additionally, the setup put an encoded PE in the registry :

HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004

The purpose of the trojanized binary is to decode and execute this PE in registry. This PE performs queries to additional C2 servers and executes in-memory PE files. This may complicate detection on some systems since the executable files are never stored directly on the file system.

Within the registry is a lightweight backdoor module which is run by the trojanized files. This backdoor retrieves an IP from data stegged into a github.com or wordpress.com search, from which an additional PE module is downloaded and run.

[...]

Below are indicators of compromise associated with this attack.

Installer on the CC: dc9b5e8aa6ec86db8af0a7aa897ca61db3e5f3d2e0942e319074db1aaccfdc83 (GeeSetup_x86.dll)

64-bit trojanized binary: 128aca58be325174f0220bd7ca6030e4e206b4378796e82da460055733bb6f4f (EFACli64.dll)

32-bit trojanized binary: 07fb252d2e853a9b1b32f30ede411f2efbb9f01e4a7782db5eacf3f55cf34902 (TSMSISrv.dll)

DLL in registry: f0d1f88c59a005312faad902528d60acbf9cd5a7b36093db8ca811f763e1292a

News sources:

http://thehackernews.com/2017/09/ccleaner-malware-hacking.html
http://blog.talosintelligence.com/2017/09/ccleaner-c2-concern.html

These are dark times when we can't even trust programs like CCleaner anymore.



News sources:

http://windowsreport.com/steam-spyware/

https://www.reddit.com/r/GlobalOffensive/comments/70xofs/warning_trusted_steam_inventory_helper_now/