Compromised version of the Windows optimisation app included a second payload targeting major tech companies.
Recent versions of Windows optimisation tool CCleaner have been compromised, the software’s owner Avast Piriform has admitted.
CCleaner has had more than 2 billion downloads overall, although Avast estimates that 2.27 million people used the infected versions: CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. No other Piriform products or CCleaner versions (including the later versions 5.34 and 5.35) were affected, the company said.
UPDATE: Avast has since acknowledged that the infected versions included an ‘advanced persistent threat’ (APT) that was programmed to deliver a second payload to a select group large technology and telecommunication companies.
Avast says the number of targets of the second payload was likely to be “in the order of hundreds” at least – and according to Cisco’s threat intelligence firm Talos, the targets included Cisco, Intel, Microsoft, Samsung, Sony, VMware, Akamai, HTC, Singtel, D-Link and VMware.
In its initial security notification, Avast said that the “unauthorised modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address” on infected systems.
“We resolved this quickly and believe no harm was done to any of our users,” it said. Nevertheless, the company recommends that users immediately upgrade CCleaner to the latest version (now v5.35) and “use a quality antivirus product such as Avast Antivirus”.
“For corporate users, the decision may be different and will likely depend on corporate IT policies,” the company says in its latest blog post. “At this stage, we cannot state that the corporate machines could not be compromised, even though the attack was highly targeted.”
The infected version 5.33 of CCleaner was released on 15 August, and was replaced by the malware-free version 5.34 on 12 September.
Cyber security firm Morphisec discovered the malware, saying in a blog post that it “first identified and prevented malicious CCleaner.exe installations on August 20 and 21 at customer sites” and later notified Avast.
Avast, which purchased CCleaner as part of its Piriform acquisition just a few months ago, said it was “working with US law enforcement in their investigation” into the attack.
Infected versions had valid digital signature
A particularly worrying aspect of the attack is that the infected versions were signed using a valid digital signature issued to Piriform. However, despite the presence of the valid signature, Talas observed that “CCleaner was not the only application that came with the download”. It contained “a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality.”
Talos says the malware could expose a wider security problem. “The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue,” it says.
“By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates.”
Craig Williams, a researcher at Talos, said it was a sophisticated attack since it penetrated a trusted supplier.
“There is nothing a user could have noticed,” Williams said, noting that the presence of the valid digital certificate meant that systems automatically trust the program.
From TalkTalk to Ashley Madison, major hacking and data breaches have been consistently damaging over the past few years, and anyone can be caught in the crossfire.
From ransomware-based extortion to malicious macros hidden in email attachments, you should be well aware of the threats you face while surfing the web. To help stay safe, see our ransomware defence guide and our guide to removing malware.
This article includes reporting from alphr.com.