{"id":1086,"date":"2017-09-18T12:16:42","date_gmt":"2017-09-18T12:16:42","guid":{"rendered":"https:\/\/www.adlice.com\/?p=1086\/"},"modified":"2022-12-21T10:32:25","modified_gmt":"2022-12-21T10:32:25","slug":"ccleaner-delivers-floxif-malware","status":"publish","type":"post","link":"https:\/\/www.adlice.com\/es\/ccleaner-delivers-floxif-malware\/","title":{"rendered":"CCleaner Delivers Floxif Malware"},"content":{"rendered":"\n

Version 5.33 of the popular machine cleaner CCleaner has been compromised<\/strong> to deliver the Floxif malware as injected DLL. Older and newer versions are not affected, and Avast (CCleaner owner) claims simply updating to 5.34 removes the malware<\/strong>.<\/p>\n\n\n\n

Update: September, 21<\/h2>\n\n\n\n

Talos discovered<\/a> that the supposedly sleeping or idle infection was actually just filtering for specific targets<\/strong> on C&C (command and control) server. After analysing the server code, they discovered interesting domains list of the possible targets, including Cisco, Samsung and other big corporations<\/strong>.<\/p>\n\n\n\n

\"ccleaner<\/a>
talos credits<\/figcaption><\/figure>\n\n\n\n

They also found that machines from these organizations (20 machines) got a second stage payload<\/strong>. As of now, we don’t know what this second stage infection is doing. Also, another registry key was found storing a malware (later executed by the infection)<\/strong>:<\/p>\n\n\n\n

HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\001\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\002\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\003\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\004\nHKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\HBP<\/pre>\n\n\n\n
What happened?<\/h2>\n\n\n\n
Every big software company uses “continuous integration and deployment”<\/strong>, a methodology that allows easier, faster and safer software update (with testing). Usually, this requires a dedicated machine where the source code is compiled into the new binary\/installer. <\/strong><\/p>\n\n\n\n
That machine is also responsible for signing the end package<\/strong> to make sure no altered version can be spread under the company’s name (see our blog post about code signing<\/a>).<\/p>\n\n\n\n
It is very possible (not confirmed) that this machine was compromised and that hackers gained access to it<\/strong>. They either altered the source code (unlikely) or added a patch routine (most likely) on the end binary<\/strong>, just before the digital signature processing.<\/p>\n\n\n\n
The patch<\/h2>\n\n\n\n
The official CCleaner binary was patched using the TLS callback method<\/a><\/strong>. That means the TLS callback is first called, before the actual binary entrypoint<\/strong>. That way, the malware is able to execute its own code before to launch the legitimate program.<\/p>\n\n\n\n
\"ccleanre<\/a><\/figure>\n\n\n\n
In this routine, the malware is executing what appears to be a PE loader, using Heap creation and execution<\/strong>. The payload is a DLL stored encrypted (XOR) without the PE header<\/strong> (to avoid AV detections), and once loaded it fires a new thread that will run the malware code.<\/p>\n\n\n\n
\"ccleaner<\/a><\/figure>\n\n\n\n
The malware code appears to be using extensively the following registry key to store data<\/strong>:<\/p>\n\n\n\n
HKLM\\SOFTWARE\\Piriform\\Agomo<\/pre>\n\n\n\n
Also, for now, the malware doesn’t seem to be very aggressive and only logs inoffensive data from the machine<\/strong> (machine name, IP address, etc…). But this may change very quickly if the malware owner decides to send different orders<\/strong> from the command and control (C&C) server. It could ask to deliver a Ransomware<\/strong> for example.<\/p>\n\n\n\n
Update: The C&C server has been takedown and DGA domains taken, so in theory the malware cannot do anything now. <\/strong><\/p>\n\n\n\n
Removal<\/h2>\n\n\n\n
Avast claims updating CCleaner to version 5.34 addresses the issue and removes the malware<\/strong>. However, RogueKiller (version 12.11.16 and above)<\/a> finds the infected CCleaner binaries<\/strong>, as well as the registry keys used by the malware and remove them.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Links<\/h2>\n\n\n\n
http:\/\/blog.talosintelligence.com\/2017\/09\/avast-distributes-malware.html<\/a>
http:\/\/blog.talosintelligence.com\/2017\/09\/ccleaner-c2-concern.html<\/a>
https:\/\/www.piriform.com\/news\/blog\/2017\/9\/18\/security-notification-for-ccleaner-v5336162-and-ccleaner-cloud-v1073191-for-32-bit-windows-users<\/a>
https:\/\/www.bleepingcomputer.com\/news\/security\/ccleaner-compromised-to-distribute-malware-for-almost-a-month\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
Popular cleanup tool CCleaner was compromised to deliver the Floxif malware. Learn how this happened and find if you are at risk.<\/p>\n","protected":false},"author":1,"featured_media":955,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[54,110],"tags":[7,560,561,48,106],"class_list":["post-1086","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-analyse","category-guide-fr","tag-analysis","tag-ccleaner","tag-floxif","tag-removal","tag-roguekiller","category-54","category-110","description-off"],"views":6654,"yoast_score":73,"yoast_readable":60,"featured_image_src":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/ccleaner.jpg","author_info":{"display_name":"tigzy","author_link":"https:\/\/www.adlice.com\/es\/author\/tigzy\/"},"yoast_head":"\nCCleaner Delivers Floxif Malware \u2022 Adlice Software<\/title>\n<meta name=\"description\" content=\"Popular cleanup tool CCleaner was compromised to deliver the Floxif malware. Learn how this happened and find if you are at risk.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/\" \/>\n<meta property=\"og:locale\" content=\"es_ES\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"CCleaner Delivers Floxif Malware \u2022 Adlice Software\" \/>\n<meta property=\"og:description\" content=\"Popular cleanup tool CCleaner was compromised to deliver the Floxif malware. Learn how this happened and find if you are at risk.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/\" \/>\n<meta property=\"og:site_name\" content=\"Adlice Software\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/RogueKiller\" \/>\n<meta property=\"article:published_time\" content=\"2017-09-18T12:16:42+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-12-21T10:32:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/ccleaner.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1209\" \/>\n\t<meta property=\"og:image:height\" content=\"862\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"tigzy\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:site\" content=\"@AdliceSoftware\" \/>\n<meta name=\"twitter:label1\" content=\"Escrito por\" \/>\n\t<meta name=\"twitter:data1\" content=\"tigzy\" \/>\n\t<meta name=\"twitter:label2\" content=\"Tiempo de lectura\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutos\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/\"},\"author\":{\"name\":\"tigzy\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\"},\"headline\":\"CCleaner Delivers Floxif Malware\",\"datePublished\":\"2017-09-18T12:16:42+00:00\",\"dateModified\":\"2022-12-21T10:32:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/\"},\"wordCount\":503,\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/ccleaner.jpg\",\"keywords\":[\"analysis\",\"ccleaner\",\"floxif\",\"removal\",\"roguekiller\"],\"articleSection\":[\"Analyse\",\"Guide\"],\"inLanguage\":\"es\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/\",\"url\":\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/\",\"name\":\"CCleaner Delivers Floxif Malware \u2022 Adlice Software\",\"isPartOf\":{\"@id\":\"https:\/\/www.adlice.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/ccleaner.jpg\",\"datePublished\":\"2017-09-18T12:16:42+00:00\",\"dateModified\":\"2022-12-21T10:32:25+00:00\",\"description\":\"Popular cleanup tool CCleaner was compromised to deliver the Floxif malware. Learn how this happened and find if you are at risk.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#breadcrumb\"},\"inLanguage\":\"es\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#primaryimage\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/ccleaner.jpg\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/ccleaner.jpg\",\"width\":1209,\"height\":862},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.adlice.com\/es\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"CCleaner Delivers Floxif Malware\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.adlice.com\/#website\",\"url\":\"https:\/\/www.adlice.com\/\",\"name\":\"Adlice Software\",\"description\":\"Anti-malware and analysis tools\",\"publisher\":{\"@id\":\"https:\/\/www.adlice.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.adlice.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"es\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.adlice.com\/#organization\",\"name\":\"Adlice Software\",\"url\":\"https:\/\/www.adlice.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"contentUrl\":\"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png\",\"width\":276,\"height\":276,\"caption\":\"Adlice Software\"},\"image\":{\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/RogueKiller\",\"https:\/\/x.com\/AdliceSoftware\",\"https:\/\/fr.linkedin.com\/company\/adlice-software\",\"https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d\",\"name\":\"tigzy\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"es\",\"@id\":\"https:\/\/www.adlice.com\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g\",\"caption\":\"tigzy\"},\"description\":\"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.\",\"url\":\"https:\/\/www.adlice.com\/es\/author\/tigzy\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"CCleaner Delivers Floxif Malware \u2022 Adlice Software","description":"Popular cleanup tool CCleaner was compromised to deliver the Floxif malware. Learn how this happened and find if you are at risk.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/","og_locale":"es_ES","og_type":"article","og_title":"CCleaner Delivers Floxif Malware \u2022 Adlice Software","og_description":"Popular cleanup tool CCleaner was compromised to deliver the Floxif malware. Learn how this happened and find if you are at risk.","og_url":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/","og_site_name":"Adlice Software","article_publisher":"https:\/\/www.facebook.com\/RogueKiller","article_published_time":"2017-09-18T12:16:42+00:00","article_modified_time":"2022-12-21T10:32:25+00:00","og_image":[{"width":1209,"height":862,"url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/ccleaner.jpg","type":"image\/jpeg"}],"author":"tigzy","twitter_card":"summary_large_image","twitter_creator":"@AdliceSoftware","twitter_site":"@AdliceSoftware","twitter_misc":{"Escrito por":"tigzy","Tiempo de lectura":"3 minutos"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#article","isPartOf":{"@id":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/"},"author":{"name":"tigzy","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d"},"headline":"CCleaner Delivers Floxif Malware","datePublished":"2017-09-18T12:16:42+00:00","dateModified":"2022-12-21T10:32:25+00:00","mainEntityOfPage":{"@id":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/"},"wordCount":503,"publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"image":{"@id":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/ccleaner.jpg","keywords":["analysis","ccleaner","floxif","removal","roguekiller"],"articleSection":["Analyse","Guide"],"inLanguage":"es"},{"@type":"WebPage","@id":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/","url":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/","name":"CCleaner Delivers Floxif Malware \u2022 Adlice Software","isPartOf":{"@id":"https:\/\/www.adlice.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#primaryimage"},"image":{"@id":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#primaryimage"},"thumbnailUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/ccleaner.jpg","datePublished":"2017-09-18T12:16:42+00:00","dateModified":"2022-12-21T10:32:25+00:00","description":"Popular cleanup tool CCleaner was compromised to deliver the Floxif malware. Learn how this happened and find if you are at risk.","breadcrumb":{"@id":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#breadcrumb"},"inLanguage":"es","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/"]}]},{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#primaryimage","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/ccleaner.jpg","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2017\/05\/ccleaner.jpg","width":1209,"height":862},{"@type":"BreadcrumbList","@id":"https:\/\/www.adlice.com\/ccleaner-delivers-floxif-malware\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.adlice.com\/es\/"},{"@type":"ListItem","position":2,"name":"CCleaner Delivers Floxif Malware"}]},{"@type":"WebSite","@id":"https:\/\/www.adlice.com\/#website","url":"https:\/\/www.adlice.com\/","name":"Adlice Software","description":"Anti-malware and analysis tools","publisher":{"@id":"https:\/\/www.adlice.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.adlice.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"es"},{"@type":"Organization","@id":"https:\/\/www.adlice.com\/#organization","name":"Adlice Software","url":"https:\/\/www.adlice.com\/","logo":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","contentUrl":"https:\/\/www.adlice.com\/wp-content\/uploads\/2020\/05\/B1rTNpTG_400x40_10.png","width":276,"height":276,"caption":"Adlice Software"},"image":{"@id":"https:\/\/www.adlice.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/RogueKiller","https:\/\/x.com\/AdliceSoftware","https:\/\/fr.linkedin.com\/company\/adlice-software","https:\/\/www.youtube.com\/channel\/UC4CQ-gIZMGWxl-auf0QqYhQ"]},{"@type":"Person","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/a02b30804320a4059d268dc2567a307d","name":"tigzy","image":{"@type":"ImageObject","inLanguage":"es","@id":"https:\/\/www.adlice.com\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/d81e380961b1b69969fa84994ad1e4cba26afe93a49d8dd3148e9c33ffe4ccac?s=96&d=mm&r=g","caption":"tigzy"},"description":"Founder and owner of Adlice Software, Tigzy started as lead developer on the popular Anti-malware called RogueKiller. Involved in all the Adlice projects as lead developer, Tigzy is also doing research and reverse engineering as well as writing blog posts.","url":"https:\/\/www.adlice.com\/es\/author\/tigzy\/"}]}},"_links":{"self":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts\/1086","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/comments?post=1086"}],"version-history":[{"count":0,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/posts\/1086\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/media\/955"}],"wp:attachment":[{"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/media?parent=1086"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/categories?post=1086"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.adlice.com\/es\/wp-json\/wp\/v2\/tags?post=1086"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}