Malware Hits PC Cleanup tool CCleaner for nearly a month

CCleaner Malware Image

HACKERS COMPROMISED CCleaner, an application distributed by firm Avast that allows users to perform routine maintenance on their system, in order to deliver malware to unsuspecting victims.

Security Researchers from Cisco Talos said that for a period of time – between 15 August and September 12 of this year – CCleaner version 5.33 had contained a multi-stage malware payload that rode on top of the installation.

CCleaner Software Image

Cisco Talos security researchers detected the tainted CCleaner app last week while performing beta testing of a new exploit detection technology.

Researchers identified a version of CCleaner 5.33 making calls to suspicious domains. While initially, this looked like another case where a user downloaded a fake, malicious CCleaner app, they later discovered that the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate.

Cisco Talos believes that a threat actor might have compromised Avast’s supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan.

It is unclear if this threat actor breached Avast’s systems without the company’s knowledge, or the malicious code was added by “an insider with access to either the development or build environments within the organization.”

Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts.

The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems. The malware also quit execution if the user was not using an administrator account.

“All of the collected information was encrypted and encoded by base64 with a custom alphabet,” says Paul Yung, V.P. of Products at Piriform. “The encoded information was subsequently submitted to an external IP address 216.126.x.x (this address was hardcoded in the payload, and we have intentionally masked its last two octets here) via a HTTPS POST request.”

How to Remove Malware From Your PC

According to the Talos researchers, around 5 million people download CCleaner (or Crap Cleaner) each week, which indicates that more than 20 Million people could have been infected with the malicious version the app.

“The impact of this attack could be severe given the extremely high number of systems possibly affected. CCleaner claims to have over 2 billion downloads worldwide as of November 2016 and is reportedly adding new users at a rate of 5 million a week,” Talos said.

However, Piriform estimated that up to 3 percent of its users (up to 2.27 million people) were affected by the malicious installation.

Affected users are strongly recommended to update their CCleaner software to version 5.34 or higher, in order to protect their computers from being compromised. The latest version is available for download here.

Subscribe our Youtube Channel

2 thoughts on “Malware Hits PC Cleanup tool CCleaner for nearly a month”

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Welcome to Defenx Solution

If you need any info or details please do connect with us through any medium below. We will try to get in touch with you as early as possible.

Contact Form

or reach me via these social channels

Contact Us