A major new cybersecurity threat – hidden inside a popular PC maintenance product from a company that also supplies security programs – could affect millions of users worldwide.
According to Cisco Talos, the cybersecurity research team at Cisco, attackers have hijacked Avast’s CCleaner application – which was available for download between August 15 and September 12 – and hidden malware inside it.
Anyone who downloaded the 5.33 version product or updated their existing product during this timeframe became infected.
On 13 September, Cisco Talos notified Avast so that they could begin corrective action. At this time the version containing the malware has been removed and is no longer available for download.
The bad news for users is that they potentially remain at risk – even if they have updated their CCleaner software.
Billing itself the “world’s most popular PC cleaner and optimisation tool,” Avast’s CCleaner is trusted by consumers to speed up PC and smartphone performance by removing unneeded/necessary files. As recently as November 2016, CCleaner boasted 2-billion downloads, with a growth rate of 5-million users per week.
According to an alert from Cisco Talos, once the malware was installed, attackers could potentially gain access to the user’s computer and other connected systems to steal sensitive personal data and/or credentials that could be used for online banking or other online activities.
Avast vice-president: products Paul Yung has issued a statement confirming that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud were illegally modified before being released to the public.
“The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version,” he says.
“Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”
The malware takes the form of a modification of the CCleaner.exe binary, resulting in the insertion of a two-stage backdoor capable of running code received from a remote IP address on affected system.
The suspicious code was hidden in the application’s initialisation code called CRT (common runtime) that is normally inserted during compilation by the compiler.
The code executed within that thread was heavily obfuscated to make its analysis harder.
The code collected information about the computer it was running on, encrypted it and submitted it to an external IP address. It then received a reply from the same IP giving it the functionality to download a second stage payload. “We have not detected an execution of the second stage payload and believe that its activation is highly unlikely,” Yung adds.
“At this stage, we don’t want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it. The investigation is still ongoing.”