CCleaner application backdoor

Talos researchers spotted a supply chain threat used to distribute a backdoor and multi-stage malware via legitimate software package CCleaner.

CCleaner Cloud version 1.07.3191 is also reported to be affected.

CCleaner is used to perform maintenance on systems, such as cleaning of temporary files and optimizing performance on PCs, and boasted 2B user downloads by November 2016. CCleaner was developed by Piriform, a company recently acquired by AV maker Avast.

According to Talos, the malicious malware package road on top of the CCleaner 5.33 package and was delivered by Avast CCleaner download servers. The CCleaner 5.33 package contained a malicious payload that featured a Domain Generation Algorithm (DGA) and hardcoded Command and Control (C2) functionality. 

Cisco Talos also notified Avast as recently as September 13, 2017 and the malicious version of CCleaner was available for download as recently as September 11.

This is another example of how threat actors continue to exploit the trust relationship between software vendors and users of their software in an attempt to distribute malware to organizations and users worldwide. 

After further analyzing the command and control (C2) server delivery code, Talos also noticed that a list of organizations were specifically targeted through delivery of a second-stage loader.

Upon review of the C2 tracking database, at least 20 victim systems were infected with secondary payloads.

Talos provided a screenshot with domains the hackers are attempting to target to include: Cisco, Samsung, Sony, VMware, and Microsoft to name a few. 

Talos further commented that the new findings “would suggest a very focused actor after valuable intellectual property.”

The security experts further warned that users or organizations who have downloaded CCleaner should also restore from backups or reimage systems. These safeguards can help ensure the complete removal of the backdoored version and any other malware the backdoor may have installed. 

Leave a Reply