Hackers Hid Malware in CCleaner Software

According to the recently Cisco Mid Year Report, spyware is currently on the rise and a big problem.  An example would be somebody looking to bypass geolocation restrictions or security  to view online content by using a program like DNS Unlocker. Some freeware available is good but sometimes even legit software can be corrupted. Talos just released a post about how the CCleaner application had malware implacted by attackers. The original article can be found HERE.

Hackers have successfully breached CCleaner’s security to inject malware into the app and distribute it to millions of users. Security researchers at Cisco Talos discovered that download servers used by Avast (the company that owns CCleaner) were compromised to distribute malware inside CCleaner. “For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” says the Talos team.

CCleaner has been downloaded more than 2 billion times according to Avast, making it a popular target for hackers. Dubbed “crap cleaner,” it’s designed to wipe out cookies and offer some web privacy protections. 2.27 million users have been affected by the attack, and Avast Piriform believes it was able to prevent the breach harming customers. “Piriform believes that these users are safe now as its investigation indicates it was able to disarm the threat before it was able to do any harm,” says an Avast spokesperson.

This is an unusual attack as software similar to CCleaner is trusted by consumers and meant to remove “crapware” from a system. “By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates,” says Talos. The malware itself appears to have been designed to use infected PCs as part of a botnet.

Earlier this year, Ukrainian company MeDoc was breached and its update servers used to distribute the Petya ransomware. Hackers appear to be targeting these types of distribution points to more easily spread malware, instead of the traditional way of attacking individual machines themselves. It’s a trend that many security researches will be monitoring closely, to catch the latest innovative ways that hackers are breaching multiple systems.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.