CCleaner Hacked Infecting Millions with Backdoor Malware

Posted September 19, 2017

Marco Cova, a senior security researcher at cyber security company Lastline, told International Business Times supply chain attacks are "sort of a holy grail for malware authors because they can efficiently distribute their malware, hide it in a trusted channel, and reach a potentially large number of users".

The affected version of CCleaner included code that installed malware capable of downloading and executing malicious programs on the affected system.

CCleaner, a piece of internet security software with more than two billion downloads, was recently hijacked to distribute backdoor malware to more than 2 million unsuspecting victims.

"To the best of our knowledge, we were able to disarm the threat before it was able to do any harm", said Mr Yung. The malware expert added that a similar attack was carried out on accounting software in the Ukraine in June. This is luckily described as "non-sensitive" by Piriform, while there are "no indications that any other data has been sent to the server". "Upon closer inspection, the executable in question was the installer for CCleaner v5.33, which was being delivered to endpoints by the legitimate CCleaner download servers", the Cisco Talos team says. Talos added that right now very few antivirus programs can even catch the CCleaner malware: only one antivirus engine out of 64 was able to detect it (ClamAV).

What we can learn from this situation is that attackers seem to be increasingly targeting developers of popular software as a way to more easily infect millions of users at once. As Talos describes in its breakdown of the malware attack, it first lays dormant to avoid automated detection systems, before checking to see if it has admin access. This came after security researchers at Cisco Systems Inc and Morphisec Ltd alerted Piriform's parent Avast Software of the hack last week. With this backdoor, hackers gained access to the data and were hooking onto them.

CCleaner is an application that helps computer-owners keep their devices optimised, by cleaning cookies, internet history and other temporary files.

CCleaner was developed by Piriform, which was bought by security company Avast earlier this year, prior to the recent update that contained malware.

Piriform, the firm behind CCleaner, has now published a blog apologizing to its customers. It recommended users running older versions of the software manually update their software to the latest version, which now is version 5.34. "The investigation is still ongoing", Piriform's Yung said.

"At this stage, we don't want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it", he said. "Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public".