Posted on September 19, 2017 at 1:35 PM
Researchers recently discovered a backdoor malware on CCleaner v5.33, putting over 2 million users at risk.
CCleaner is arguably one of the most popular security software on the market, boasting more than 2 million downloads. Yet this software was recently infiltrated by hackers to install backdoor malware on over 2 billion unsuspecting users’ devices.
A division of cybersecurity firm Cisco, named Talos stated that the impact of this latest attack can have severe repercussions considering the high number of potentially affect systems.
CCleaner marketed itself as “the number-one tool for cleaning your PC”. As of November 2016, CCleaner was downloaded at least 2 billion times and has enjoyed an average growth rate of an additional 5 million downloads per week.
The backdoor through which hackers installs malware was found in CCleaner version 5.33 and has been running since 15 August. The new infected version is thought to affect at least 2.27 million people directly.
Talos researchers stated on Monday that up until 12 September, a new version of CCleaner has always been packaged alongside a malicious copy.
An affected user could fall victim to hackers stealing sensitive data and information, including security logins and credentials required for internet banking, online transactions and various other online activities.
Talos researchers decided that the best policy would be to move as quickly as possible given the vast number of people affected as well as the implications thereof. In order to do this, they informed Avast of its findings on 13 September.
Avast is currently the owner of CCleaner, as they purchased it in July of this year from British company Piriform.
The most worrying aspect of this latest attack is that hackers are now able to implement malware into legitimate malware. Considering the sheer number of people affected, this attack could be similar to the “NotPetya” ransomware attack.
Legitimate CCleaner downloads were found to contain a malicious payload which included a Domain Generation Algorithm (DGA) as well a Command and Control (C2) function.
In the Talos researchers report, they stated that the infected version (5.33) was made available on 15 August, while a version 5.34 was released on 12 September. They add that the malware must have been distributed between those dates.
Infected versions carried a valid security certificate issued by Symantec to Piriform. According to researchers, this security certificate is still technically valid up until 10 October 2018. According to experts, this certificate will now be revoked.
According to Talos, the latest attack is yet another example as to the extent that hackers are willing to go through just to distribute infected software to individuals and corporations all over the world. The truly worrying part is that they’ve now taken to exploiting the trust relationship between software security companies and their users in order to achieve that goal.
Since the malware has been discovered, Vice President of Piriform, Paul Yung stated his apologies in a blog post.
Yung stated that they are in the process of resolving the threat. Since exposing the malware, the rogue server has been shut down and all other potentially vulnerable servers have been put out of the attacker’s control. All existing CCleaner users on v5.33.6162 will be updated to the latest version.
There is still an ongoing investigation in regards to how unauthorized code managed to sneak into CCleaner software, as well as where the attack came from, and who is responsible.
All CCleaner users have been advised to update to the latest available version in order to avoid any malicious attacks.