S0222 CCBkdr
CCBkdr is malware that was injected into a signed version of CCleaner and distributed from CCleaner’s distribution website. 1 2
| Item | Value |
|---|---|
| ID | S0222 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.2 |
| Created | 18 April 2018 |
| Last Modified | 20 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1568 | Dynamic Resolution | - |
| enterprise | T1568.002 | Domain Generation Algorithms | CCBkdr can use a DGA for Fallback Channels if communications with the primary command and control server are lost.1 |
| enterprise | T1195 | Supply Chain Compromise | - |
| enterprise | T1195.002 | Compromise Software Supply Chain | CCBkdr was added to a legitimate, signed version 5.33 of the CCleaner software and distributed on CCleaner’s distribution site.123 |
References
-
Brumaghin, E. et al. (2017, September 18). CCleanup: A Vast Number of Machines at Risk. Retrieved March 9, 2018. ↩↩↩
-
Rosenberg, J. (2017, September 20). Evidence Aurora Operation Still Active: Supply Chain Attack Through CCleaner. Retrieved February 13, 2018. ↩↩
-
Avast Threat Intelligence Team. (2018, March 8). New investigations into the CCleaner incident point to a possible third stage that had keylogger capacities. Retrieved March 15, 2018. ↩