September 14 - Cisco notifies Avast of its own findings. Avast starts its own investigation and also notifies US law enforcement. September 12 - Morphisec notifies Avast and Cisco of the suspicious CCleaner activity. September 11 - Morphisec customers share detection logs detailing CCleaner-related malicious activity with the company's engineers. The 32-bit version (CCleaner ) included the Floxif trojan.Īugust 20 and 21 - Morphisec's security product detects first instances of malicious activity (malware was collecting device details and sending the data to a remote server), but Morphisec does not notify Avast.Īugust 24 - Piriform releases CCleaner Cloud v that also includes the Floxif trojan. July 18 - Avast decides to buy Piriform, the company behind CCleaner.Īugust 15 - Piriform, now part of Avast, releases CCleaner 5.33.
July 3 - Evidence suggests hackers breached Piriform's IT systems. As a result, we saw a significant increase in the amount of requests that were being directed at the failback DGA domains used by the malware.īelow is a simplified timeline of events, based on Avast's recent statement. After reaching out to Avast we noted that the server was taken down and became unavailable to already infected systems. Note that in on Septemit appears that the DNS activity shifted from the DGA domain previously used in August, to the one used in September, which matches the time-based DGA algorithm described in the "Domain Generation Algorithm" section of this blog post. The following graph shows a significant increase in the amount of DNS activity associated with the DGA domain used in August 2017 Looking at the DNS related activity observed by Cisco Umbrella for the month of July 2017 (prior to CCleaner 5.33 being released) we observed very little in the way of DNS requests to resolve the IP address for DGA domain associated with this malwareĪs mentioned earlier in this post, the version of CCleaner that included this malware was released on August 15, 2017. While most of the domains associated with this DGA have little to no request traffic associated with them, the domains related to the months of August and September (which correlates with when this threat was active in the wild) show significantly more activity. As these domains have never been registered, it is reasonable to conclude that the only conditions in which systems would be attempting to resolve the IP addresses associated with them is if they had been impacted by this malware. In analyzing DNS-based telemetry data related to this attack, Talos identified a significant number of systems making DNS requests attempting to resolve the domains associated with the aforementioned DGA domains.
0 kommentar(er)
