What do you think this is?

Just thoughts of a restless mind...

The problem with compromised software

As everybody probably knows by now, CCleaner was compromised and malicious individuals added multi-stage malware payload on it. A typical case of compromised software if you ask me, pretty much like the one with the Ukrainian tax software that spread Not-Petya. But there is a different aspect to why compromised software is very dangerous, and it actually uses (believe it or not) social engineering in a more advanced way.

Nowadays many endpoint protection solutions use some way of behavior analysis to identify malicious activity. In that essence, I guess that software like SentinelOne, Cylance, CarbonBlack, Cybereason would probably pick up the infected executable based on its activity, and block it. All is good so far, the software is blocked and the user is protected.

But then the SOC that is handling the tool has to make a decision:

Is it a false positive or not?

And here's when trouble starts:

  • First of all I don't think many SOC analysts are capable of analyzing cases like this, at least not the analysts that evaluate false positives.
  • Second, even if SOC analysts can identify that, I doubt they spend too much time in doing so, in a software such as CCleaner.
  • Third, even if the analysts do not release it as false positive just based on the name, I expect them to contact the end user. The end user will tell them that they started the process of installing CCleaner and that's it.

Eventually the software will be Whitelisted as false positive and that's game over.

In this case your endpoint protection solution won't save you even if it identifies it. Your end-user education won't save you unless you have very strict controls on application approval (which almost no commercial organization has) and very smart users. And your SOC analysts skills won't save you unless they're very advanced and they have a lot of time to analyze every case, even though it looks like straight - forward.

What can save you? Probably nothing but a mitigation is to have threat feeds so that you find out that CCleaner was compromised as early as possible. A strong endpoint solution would be useful too, if it could go back and identify all instances of CCleaner in your environment after a specific time (even though it was whitelisted), but I'm not familiar of any endpoint solution having this functionality.

Any thoughts?