CCleaner installer shipped multi-stage backdoor
Attackers compromised Piriform's build environment and inserted a backdoor into official CCleaner releases before Avast completed the acquisition.
Story
The CCleaner compromise began before the public software update. Avast later found that attackers first entered Piriform's network on March 11, 2017, using TeamViewer on an unattended developer workstation. The single successful sign-in suggested the attacker already had valid credentials. Initial DLL drops failed without admin rights; the third attempt used VBScript and succeeded.
On March 12, the actor moved to a second unattended computer and opened a backdoor through Windows Remote Desktop. In April, a customized ShadowPad payload appeared inside Piriform as mscoree.dll, including on a build server. Avast found no proof that this ShadowPad stage was later delivered to the 40 selected CCleaner victims, but it showed the attacker had months of internal access before the customer-facing payload shipped.
The delivery was the official CCleaner installer. On August 2, attackers replaced the normal build path with a backdoored CCleaner release, and version 5.33.6162 was later downloaded by roughly 2.27 million users. The first stage collected system information and contacted command-and-control, acting less like broad ransomware and more like a filter for targets worth a second step.
The second stage went to 40 computers at major technology and telecommunications companies. Cisco Talos detected the malicious official download on September 13 and notified Avast; with FBI help, Avast took down the command-and-control server within three days. The lasting lesson was bleak and simple: a free utility with a trusted update path can become an intelligence platform if its build chain is owned.
Affected Artifacts
- Observed
- 2017-08-15 to 2017-09-12
- Compromised Versions
- Fixed
- Not listed
- Hashes
-
- sha256:1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
- md5:5d4a6ae5ed7de98404bedfe504dbfb4a
- Observed
- 2017-08-15 to 2017-09-12
- Compromised Versions
- Fixed
- Not listed
- Observed
- 2017-09-12
- Compromised Versions
- Unknown
- Fixed
- Not listed
- Hashes
-
- sha256:36b36ee9515e0a60629d2c722b006b33e543dce1c8c2611053e0651a0bfdb2e9
- Second-stage DLL deployed only to selected high-value targets after the first-stage CCleaner compromise.
- Avast reported 40 selected second-stage victims at major technology and telecommunications companies.
Incident Context
- Motive
- Espionage
- Attribution
- State
- Cause
- Build System Compromise
- Transitive
- No
- Actor
- Nation-state
- User Impact
- 2270000
Indicators
- Locationdistribution: ccleaner.com/ccleaner/download/standard
- Locationmirror: github.com/InQuest/malware-samples/tree/master/2017-09-CCleaner-Supply-Chain-Attack
- Locationmirror: virustotal.com/gui/file/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
- Locationmirror: hybrid-analysis.com/sample/1a4a5123d7b2c534cb3e3168f7032cf9ebf38b9a2a97226d0fdb7933cf6030ff
- observableTeamViewer access to Piriform developer workstation
- observableWindows Remote Desktop lateral movement
- filemscoree.dll
- observableShadowPad found on Piriform build infrastructure
External References
- CCleaner incident report - now and thenblog.avast.com
- Recent findings from CCleaner APT investigation reveal that attackers entered the Piriform network via TeamViewerblog.avast.com
- CCleaner Command and Control Causes Concernblogs.cisco.com
- Talos Intelligence: CCleaner Command and Controltalosintelligence.com
- CCleaner Attack Timeline - Here's How Hackers Infected 2.3 Million PCsthehackernews.com
Source record: proprietary/ccleaner/meta.yaml