The free computer maintenance app CCleaner, distributed by Avast subsidiary Piriform, may have exposed more than 2 million computers to a multistage malware payload that if exploited could have allowed the computers to be controlled remotely.
Cisco’s Talos threat intelligence group believes the malware was most likely added by an outside actor, but the researchers did not rule out the possibility that the maneuver was an inside job. Avast acquired Piriform in July and folded the company into Avast’s consumer business unit and retained the CCleaner brand.
Piriform Vice President Paul Yung said the issue was first noticed on September 12 when an unknown IP address began receiving data in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Further research discovered that these versions of the app had been illegally modified before being released to the public. An as of yet unknown party inserted a two-stage backdoor capable of remote code execution.
“Piriform is unable to speculate on the intent of the attack as the company is still working with U.S. law enforcement on the investigation,” a company spokesperson told SC Media.
CCleaner has been downloaded more than 2 billion times, according to a November 2016 press release, and the company is recommending all its users update to the latest version 5.34.
“We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191,” Yung said, adding, “the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version.
The corrupted version of CCleaner was being distributed on CCleaner’s download server with a valid certificate as of September 11, 2017, Cisco Talos’ researchers said.
The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler, Piriform said.
Talos in its investigation also found a compilation artifact. (S:workspaceccleanerbranchesv5.33binCCleanerReleaseCCleaner.pdb) within CCleaner’s binary that it believes points to how the malware found its way into the software.
“Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization,” Talos researchers wrote.
Talos did not rule out the possibility that the malware was the work of an insider.
“It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code,” it said.
Piriform said the malware also began collecting data on the affected system:
- Name of the computer
- List of installed software, including Windows updates
- List of running processes
- MAC addresses of first three network adapters
- Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.
Piriform said that while the data was collected it does not appear to have been sent anywhere.
Cyber industry executives noted these attackers once again utilized a trusted software vendor to spread their malware, just as NotPetya was spread to companies using M.E. Docs accounting software.
“This is an example of a software supply-chain attack, where an otherwise trusted software vendor gets compromised and the update mechanism of the programs they distribute is leveraged to distribute malware. This is sort of a holy grail for malware authors because they can efficiently distribute their malware, hide it in a trusted channel, and reach a potentially large number of users,” said Marco Cova, senior security researcher at Lastline.