The free computer maintenance app CCleaner, distributed by Avast, maybe have exposed more than two million computers to a multistage malware payload.
Cisco's Talos threat intelligence group believes the malware was most likely added by an outside actor, but the researchers did not rule out the possibility that the manoeuvre was an inside job. Avast acquired Piriform in July and folded the company into Avast's consumer business unit and retained the CCleaner brand.
Piriform vice president Paul Yung said the issued was first noticed on 12 September when an unknown IP address began receiving data in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems.
Further research discovered that these versions of the app had been illegally modified before being released to the public. An as-yet-unknown party inserted a two-stage backdoor capable of remote code execution.
CCleaner has been downloaded more than 2 billion times, according to a November 2016 press release, and the company is recommending all its users update to the latest version 5.34.
“We would like to apologise for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191,” Yung said, adding, “the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we're moving all existing CCleaner v5.33.6162 users to the latest version.
Piriform's investigation found the malware was stashed in the app's initialisation code that is usually installed during compilation and stashed information, such as, “randomly generated number identifying a particular system. Possibly also to be used as communication encryption key” in the registration key.
Talos in its investigation also found a compilation artifact (S:\workspace\ccleaner\branches\v5.33\bin\CCleaner\Release\CCleaner.pdb) within CCleaner's binary that it believes points to how the malware found its way into the software.
“Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organisation,” Talos researchers wrote.
Talos did not rule out the possibility that the malware was the work of an insider.
“It is also possible that an insider with access to either the development or build environments within the organisation intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code,” it said.
Piriform said the malware also began collecting data on the affected system:
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Piriform said that while the data was collected it does not appear to have been sent anywhere.
The corrupted version of CCleaner was being distributed on CCleaner's download server with a valid certificate as of 11 September, 2017, said Cisco Talos researcher.
Cyber industry executives noted these attackers once again utilised a trusted software vendor to spread their malware, just as NotPetya was spread to companies using ME Docs accounting software.
“This is an example of a software supply-chain attack, where an otherwise trusted software vendor gets compromised and the update mechanism of the programs they distribute is leveraged to distribute malware.
"This is sort of a holy grail for malware authors because they can efficiently distribute their malware, hide it in a trusted channel, and reach a potentially large number of users,” said Marco Cova, senior security researcher at Lastline.