Code
CCleaner was compromised by hackers and used to distribute malware. Pexels/Pixabay

A widely used Windows utility application called CCleaner was unknowingly delivering malware to users who downloaded the tool for longer than a month before it was discovered, according to security researchers.

Version 5.33 of the CCleaner and version 1.07 of CCleaner Cloud were compromised by hackers on Aug. 15 and used to distribute a type of malware called Floxif, researchers at Cisco-owned cyber security firm Talos Intelligence found.

The maliciously modified version of the tool was available for download until Sept. 12.

The researchers caught the issue when they spotted a version of CCleaner making requests to communicate with suspicious website domains. The behavior initially made the researchers think the application may have been a fake, designed to trick people into downloading it. However, the tool was downloaded from the official website and was signed using a valid digital certificate.

Because the application came directly from its official source and was modified to spread malware, researchers reasoned it was likely a threat actor attacked and compromised the supply chain used to distribute the software. They also theorized the malicious code could have been inserted by someone with insider access to the development or build environments within the organization.

Marco Cova, a senior security researcher at cyber security company Lastline, told International Business Times supply chain attacks are “sort of a holy grail for malware authors because they can efficiently distribute their malware, hide it in a trusted channel, and reach a potentially large number of users.”

STRUCTURE SECURITY -- USE THIS ONE
Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Newsweek Media Group

Cova also noted the attackers who implanted the malware had access to the infrastructure used to build the software itself, allowing them to insert the malicious payload directly into the official application.

“This is very troublesome because it indicates that attackers were able to control a critical piece of the infrastructure used by the vendor. I expect that a lot of software vendors will be reviewing the security of their build and distribution channels as a consequence of this finding,” he said.

CCleaner was developed by Piriform, which was bought by security company Avast earlier this year, prior to the recent update that contained malware. Piriform acknowledged the incident in a blog post and thanked Avast for its help in investigating the cause, which has yet to be determined.

While Piriform and Avast continue to look into the cause of the issue, the more than two million people who use CCleaner have to live unsure if the app they count on to keep their computer running smoothly and efficiently may have infected their machine with malware.

Those who downloaded version 5.33 of CCleaner between August 15 and September 12 may well have the Floxif malware hiding on their machine.

Floxif is capable of gathering information from a user’s machine, including details like lists of installed software and running processes, MAC addresses, network interfaces and the unique ID numbers that can be used to identify individual computers.

The compromised CCleaner was discovered communicating with a command and control server operated by the threat actors, suggesting it’s likely the malware recorded information on infected machine. However, researchers don’t believe the malware was used to deliver any sort of malicious payload to the machines to further infect them or steal additional information.

Users of CCleaner should make sure they have updated the application to version 5.34, which was released Sept. 13. CCleaner Cloud users should download a recently pushed out update, version 1.07.3214, in order to ensure they are safe.