Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according reports published by MorphiSec and Cisco Talos.
Floxif is a malware downloader that gathers information about infected systems and sends it back to its C&C server. The malware also had the ability to download and run other binaries, but at the time of writing, there is no evidence that Floxif downloaded additional second-stage payloads on infected hosts.
The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems. The malware also quit execution if the user was not using an administrator account.
Threat actor compromised CCleaner infrastructure
Cisco Talos security researchers detected the tainted CCleaner app last week while performing beta testing of a new exploit detection technology. About the same time, Morphisec reports receiving suspicious logs from several customers who installed the tainted apps, and immediately reached out to Avast.
Both research teams identified a version of CCleaner 5.33 making calls to suspicious domains. While initially, this looked like another case where a user downloaded a fake, malicious CCleaner app, they later discovered that the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate.
Cisco Talos believes that a threat actor might have compromised Avast's supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan.
It is unclear if this threat actor breached Avast's systems without the company's knowledge, or the malicious code was added by "an insider with access to either the development or build environments within the organization."
Clean CCleaner versions released
Avast bought Piriform — CCleaner's original developer — in July this year, a month before CCleaner 5.33 was released.
Piriform acknowledged the incident in a blog post today. The company said they found the malware in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191.
On September 13, Piriform released CCleaner 5.34 and pushed an update (v1.07.3214) to CCleaner Cloud users that do not contain the malicious code.
Updating to recent versions removes malware
In an email to Bleeping Computer, Avast CTO Ondrej Vlcek said that updating CCleaner to the most recent recent versions fixes any issues, as "the only malware to remove is the one embedded in the CCleaner binary itself."
"The affected software (CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191) has been installed on 2.27M machines from its inception up until now," Vlcek also added. "We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm."
"There is no indication or evidence that any additional "malware" has been delivered through the backdoor," Vlcek added.
Technical details about the Floxif malware's mode of operation, infection process, and indicators of compromise are available in a Cisco Talos report here, and a Morphisec report here.
Article updated with link to Piriform blog post. Updated article for a second time with response from Avast CTO. An earlier version of this article referenced a tweet suggesting that other parts of the Avast network might be compromised. Avast investigated the issue and discovered that someone used its VPN service to send ransomware-laced spam.
Image credits: Cisco Talos
Comments
Amigo-A - 6 years ago
Thanks for the info. Unpleasant incident.
I noticed that the new version failse and does not work. Apparently my security software blocked malicious stuffing when the computer was online. Version 5.31 (pre-previous) worked cleanly. I immediately returned to him. The new 5.34 has not yet been used.
Lawrence Abrams - 6 years ago
Thankfully, anyone who downloaded CCleaner from BleepingComputer was protected by my laziness. We were hosting 5.2.9 until Sept. 15th, when we updated to 5.3.4.
mremski - 6 years ago
"Thankfully, anyone who downloaded CCleaner from BleepingComputer was protected by my laziness. We were hosting 5.2.9 until Sept. 15th, when we updated to 5.3.4."
Fortuitous. Sometimes it pays to update slowly.
herby325 - 6 years ago
Apparently, CCleaner 64-Bit was not affected, yet I had a quarantine alert from Malwarebytes that the Trojan.floxif had been quarantined. Their report says that the trojan had been embedded in the ccsetup533.exe download. I deleted the quarantined file and reinstalled CCleaner v5.34.6207 (64-Bit). I ran an Avast full system scan which came up clean. Is there anything else that I should do now? Since the trojan remained undetected since the last CCleaner install in early September, some of my files may have been compromised.Thanks. (I'm actually quite amazed that the trojan bypassed both Malwarebytes and Avast (both premium versions) upon download; they are supposed to be "in-line" at all times. Am I missing something?)
BethE006 - 6 years ago
I had the exact same scenario as what you've laid out here. Except that I updated my CCleaner on 8/3/17 and apparently it was infected THEN! I run routine scans with MWB premium version and it only caught it as of today! 9/25/17. I update my virus defs daily and have MWB settings to check for updates every. 3. hours. (yeah, it's scary out there on the web). Only thing I can think of as to why MWB didn't detect the Trojan.floxif prior is bc it was just recently identified after Sept. 13th? (My last full scan was Sept. 16th) Yeah, i'm confused about that too - why MWB didn't catch it. but, i need to update my CCleaner immediately.