Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Millions Download Maliciously Modified PC Utility

Infected CCleaner Utility Highlights Dangers of Software Supply Chain Attacks

Infected CCleaner Utility Highlights Dangers of Software Supply Chain Attacks

More than 2 million users are estimated to have downloaded a maliciously modified version of a software utility owned by antivirus firm Avast.

The affected application, CCleaner, helps users perform routine maintenance on their systems, and provides functionality such as temporary files deletion, performance optimization analysis, and application management. Developed by Piriform Ltd, which was acquired by Avast in July, the software had around 2 billion total downloads as of November 2016.

The infected CCleaner versions include 32-bit CCleaner v5.33.6162, released on August 15, and CCleaner Cloud v1.07.3191, which was released on August 24. The issue was discovered last week, nearly a month after the infected application was made available for download.

No information on how the compromise happened has been provided as of now, but Cisco Talos security researchers discovered that the infected CCleaner installers were signed with a valid certificate and were being hosted directly on CCleaner’s download server.

“The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally this certificate should be revoked and untrusted moving forward,” Cisco says.

The installers were infected with a malware known as Floxif, and was modified in such a way to execute the malicious code during the legitimate application’s installation process. The malicious code includes steps designed to evade detection, and terminates execution if the user doesn’t have admin privileges. It also uses a Domain Generation Algorithm (DGA).

The malware was designed to gather various data from the infected systems, including computer name, IP address, list of installed software, list of active software, list of network adapters, and send it to a third-party server in the United States, Piriform reveals. According to the company, this non-sensitive type of data is the only data that was sent to the server.

Advertisement. Scroll to continue reading.

Piriform also claims to have taken the necessary steps to ensure that its CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 users were safe, all while working with the U.S. law enforcement to shut down the server, which was accomplished on Sept. 15.

The company says it worked with download sites to remove CCleaner v5.33.6162, it pushed a notification to update CCleaner users to v5.34, and also automatically updated CCleaner Cloud users from v1.07.3191 to 1.07.3214, in addition to delivering an automatic update to Avast Antivirus users.

“At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing,” Paul Yung, VP, Products, Piriform, notes in a technical post detailing the incident.

The company says that only around 3% of the CCleaner users have been impacted by the incident. In July, the application had over 130 million users worldwide, including 15 million Android users. Responding to an email inquiry from SecurityWeek, an Avast spokesperson said that an estimated 2.27 million users have downloaded the infected CCleaner iterations.

“We estimate that 2.27 million users had the v5.33.6162 software, and 5,010 users had the v1.07.3191 of CCleaner Cloud installed on 32-bit Windows machines. We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm,” the company’s official said.

While analyzing the domains associated with the infection, Cisco discovered an increase in activity following the August 15 release of the infected CCleaner variant. The company also notes that the antivirus detection for the threat was very low at the time of analysis.

Impacted users are advised to update to CCleaner v5.34 as soon as possible. They should also scan their systems with an anti-virus solution to remove any malicious code that might still be present. According to Cisco, users should consider restoring their machines to a state before August 15, 2017, or even perform a full reinstall.

Related: Avast Acquires CCleaner Developer Piriform

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.