HACKERS COMPROMISED CCleaner, an application distributed by firm Avast that allows users to perform routine maintenance on their system, in order to deliver malware to unsuspecting victims.
Security Researchers from Cisco Talos said that for a period of time – between 15 August and September 12 of this year – CCleaner version 5.33 had contained a multi-stage malware payload that rode on top of the installation.
Cisco Talos security researchers detected the tainted CCleaner app last week while performing beta testing of a new exploit detection technology.
Researchers identified a version of CCleaner 5.33 making calls to suspicious domains. While initially, this looked like another case where a user downloaded a fake, malicious CCleaner app, they later discovered that the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate.
Cisco Talos believes that a threat actor might have compromised Avast’s supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan.
It is unclear if this threat actor breached Avast’s systems without the company’s knowledge, or the malicious code was added by “an insider with access to either the development or build environments within the organization.”
Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts.
“All of the collected information was encrypted and encoded by base64 with a custom alphabet,” says Paul Yung, V.P. of Products at Piriform. “The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request.”
How to Remove Malware From Your PC
According to the Talos researchers, around 5 million people download CCleaner (or Crap Cleaner) each week, which indicates that more than 20 Million people could have been infected with the malicious version the app.
“The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week,” Talos said.
However, Piriform estimated that up to 3 percent of its users (up to 2.27 million people) were affected by the malicious installation.
Affected users are strongly recommended to update their CCleaner software to version 5.34 or higher, in order to protect their computers from being compromised. The latest version is available for download here.