![]() ![]() The payload is a DLL stored encrypted (XOR) without the PE header (to avoid AV detections), and once loaded it fires a new thread that will run the malware code. In this routine, the malware is executing what appears to be a PE loader, using Heap creation and execution. That way, the malware is able to execute its own code before to launch the legitimate program. That means the TLS callback is first called, before the actual binary entrypoint. The official CCleaner binary was patched using the TLS callback method. They either altered the source code (unlikely) or added a patch routine (most likely) on the end binary, just before the digital signature processing. It is very possible (not confirmed) that this machine was compromised and that hackers gained access to it. That machine is also responsible for signing the end package to make sure no altered version can be spread under the company’s name ( see our blog post about code signing). Usually, this requires a dedicated machine where the source code is compiled into the new binary/installer. HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\HBP What happened?Įvery big software company uses “continuous integration and deployment”, a methodology that allows easier, faster and safer software update (with testing). HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\004 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\003 HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\002 Also, another registry key was found storing a malware (later executed by the infection): HKLM\Software\Microsoft\Windows NT\CurrentVersion\WbemPerf\001 As of now, we don’t know what this second stage infection is doing. They also found that machines from these organizations (20 machines) got a second stage payload. After analysing the server code, they discovered interesting domains list of the possible targets, including Cisco, Samsung and other big corporations. Talos discovered that the supposedly sleeping or idle infection was actually just filtering for specific targets on C&C (command and control) server. Older and newer versions are not affected, and Avast (CCleaner owner) claims simply updating to 5.34 removes the malware. Version 5.33 of the popular machine cleaner CCleaner has been compromised to deliver the Floxif malware as injected DLL. ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |