Hackers have successfully compromised CCleaner’s security systems to inject malware into the software tool and distribute it to users through a backdoor loophole.
According to researchers from Talos, a cybersecurity division of Cisco, version 5.33 of the software tool—which was offered for download between August 15 and September 12—had its registry modified with the Floxif malware, spreading it to over two million users who downloaded the version.
The Floxif trojan gathers information about the infected host system and sends it to the adversary’s server.
The malware can also run on other binaries and download multi-stage payloads.
The team of security experts from Cisco Talos discovered that the download servers used by a top software vendor, Avast—which is also the company that owns CCleaner—were hacked to spread the malware during installation.
Another report published by MorphiSec also confirms the software had its infrastructure compromised for almost a month.
CCleaner, a popular application branded as “number one tool for cleaning your PC,” has over two billion downloads and a high growth rate of at least five million additional users per week.
This software is maintained by a British company known as Piriform. It was purchased earlier this year by Avast, one of the top multi-national security and technology companies.
The taunted internet security software is designed to wipe cookies and offer web privacy protections to keep your PC running smoothly.
Hackers were able to infiltrate the application and breach its security through an unusual means of attack.
Researchers from Talos said the impact of such an attack could be severe, considering the extremely high number of systems prone to malware infection.
An Unusual Hack Attack On Software Update Mechanisms
It is unfortunate that software tools trusted by most consumers and meant to optimize systems can be compromised through such an unexpected attack.
According to Talos, the CCleaner hack is a prime example of the extent to which attackers are attempting to distribute malware to both individuals and organizations around the world.
In their in-depth research analysis, the Talos researchers noted that exploiting the trust relationship between software users and vendors is a potential loophole through which attackers can benefit from consumers’ inherent trust in both files and web servers responsible for distributing updates.
This type of distributions that spreads malware more easily appears to be a growing target for hackers.
By incorporating malware into the most legitimate downloads, the biggest fear is that the outbreak could be like the “NotPetya” ransomware attack initiated earlier this year after the MeDoc update servers were used to distribute the malicious program.
The Floxif trojan uses infected PCs as a botnet. During installation, the malicious payload incorporated in CCleaner features a Command and Control (C2) functionality and a Domain Generation Algorithm (DGA).
Talos researchers revealed that a network of infected hosts has the potential to cause great damage. This exploit would allow hackers steal sensitive data and credentials for internet banking, electronic frauds or any other online activity.
Piriform, the original developer of CCleaner, acknowledged that both version 5.33.6162 and the online version, CCleaner Cloud 1.07.3191, were illicitly modified before their release.
In response to these findings, Piriform wrote in a blog post that the company apologizes for the malware attached, adding that investigations are underway to determine on how the unauthorized code infiltrated the software and who exactly stood behind the attack without any speculations.
However, the developers believe they were able to prevent the malware breach from harming users.
One Avast spokesperson said that they were able to disarm the threat before causing any harm by bringing the rogue server down and moving all existing CCleaner 5.33 users to the latest version.
Updating to Recent Versions Eliminates the Malware
Avast CTO Ondrej Vlcek said that the only sure way to remove the malware is by updating the software the latest version.
Last week, the company released CCleaner version 5.34 and updated the program’s cloud to version 1.07.3214, both of which do not contain any malware code.
All users running CCleaner should, therefore, upgrade to the newest versions immediately to protect themselves.
On the other hand, most security researchers are closely monitoring the latest innovative ways through which hackers can breach multiple systems with malware.