Yellowstone Computing
(715)-669-6136
  • Home
  • Services
  • Support
  • Contact
  • Blog
  • About
  • Reviews
  • Repairs

CCleaner Compromised to Distribute Malware

9/21/2017

 
Guest post by Catalin Cimpanu @ BleepingComputer.com
It was disclosed this past Monday (September 18th) that the popular cleaning utility CCleaner had been compromised by currently unknown threat actor that modified CCleaner to include the Floxif malware. CCleaner is made by Piriform, a company which was acquired by Avast (makers of the popular Avast Antivirus) in July of this year. Details of this incident are included below. If you are using CCleaner on your PC(s), you should either update to the current version or remove it. As always, if you require assistance, give us a call! – Yellowstone Computing

CCleaner Compromised to Distribute Malware for Almost a Month
Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos. Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C (Command and Control) server. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts. The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces (to identify other devices on the network), and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems. The malware also quit execution if the user was not using an administrator account.

Threat Actor Compromised CCleaner Infrastructure
Cisco Talos security researchers detected the tainted CCleaner app last week while performing beta testing of a new exploit detection technology. Researchers identified a version of CCleaner 5.33 making calls to suspicious domains. While initially, this looked like another case where a user downloaded a fake, malicious CCleaner app, they later discovered that the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate. Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan. It is unclear if this threat actor breached Avast's systems without the company's knowledge, or the malicious code was added by "an insider with access to either the development or build environments within the organization."

Clean CCleaner Versions Released
Avast bought Piriform — CCleaner's original developer — in July this year, a month before CCleaner 5.33 was released. Piriform acknowledged the incident in a blog post today. The company said they found the malware in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. On September 13, Piriform released CCleaner 5.34 and pushed an update (v1.07.3214) to CCleaner Cloud users that do not contain the malicious code.

Updating to Recent Versions Removes Malware
In an email to Bleeping Computer, Avast CTO Ondrej Vlcek said that updating CCleaner to the most recent versions fixes any issues, as "the only malware to remove is the one embedded in the CCleaner binary itself." "The affected software (CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) has been installed on 2.27M machines from its inception up until now," Vlcek also added. "We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm." "There is no indication or evidence that any additional "malware" has been delivered through the backdoor," Vlcek added.

Technical details about the Floxif malware's mode of operation, infection process, and indicators of compromise are available in a Cisco Talos report at http://blog.talosintelligence.com/2017/09/avast-distributes-malware.html.
​
Article updated with link to Piriform blog post. Updated article for a second time with response from Avast CTO. An earlier version of this article referenced a tweet suggesting that other parts of the Avast network might be compromised. Avast investigated the issue and discovered that someone used its VPN service to send ransomware-laced spam.

Comments are closed.

    Yellowstone Computing

    To read about us, click here!

    Archives

    December 2021
    September 2021
    August 2021
    May 2021
    April 2021
    March 2021
    February 2021
    January 2021
    December 2020
    November 2020
    October 2020
    September 2020
    August 2020
    July 2020
    June 2020
    May 2020
    April 2020
    March 2020
    February 2020
    January 2020
    December 2019
    November 2019
    October 2019
    September 2019
    August 2019
    July 2019
    June 2019
    May 2019
    April 2019
    March 2019
    February 2019
    January 2019
    December 2018
    November 2018
    October 2018
    September 2018
    August 2018
    July 2018
    June 2018
    May 2018
    April 2018
    March 2018
    February 2018
    January 2018
    December 2017
    November 2017
    October 2017
    September 2017
    August 2017
    July 2017
    June 2017
    May 2017
    April 2017
    March 2017
    February 2017
    January 2017
    November 2016
    October 2016
    December 2015
    September 2015
    July 2015
    May 2015
    April 2015
    March 2015
    February 2015
    January 2015
    December 2014
    November 2014
    October 2014
    September 2014
    August 2014
    July 2014
    June 2014
    May 2014
    April 2014

    Categories

    All

    RSS Feed

Visit Us!

What Our Clients Are Saying

Joe is really in tune with what our business needs are... what a great guy with amazing skills... - Grassland Veterinary Service

Yellowstone Computing goes above and beyond for their customers! Joe is very knowledgeable and will go the extra mile to make sure his customers not only get what they asked for but also makes sure they are taken care of for many years to come! Between the great business services they provide and their involvement in the Thorp Chamber I'd highly recommend doing business with Yellowstone Computing! Whether you are an individual looking for computer or other technology help or a large employer who needs to either supplement your current IT support or completely outsource it Yellowstone Computing should be one of your first calls! - Justin Z.