Avast CCleaner Hijacked to Distribute Malware

CCleaner, a popular system optimization software recently acquired by antivirus company Avast, was used by unknown parties as a delivery vector for malware for nearly a month.

Piriform, the original developer of the software, confirmed the breach in a blog post by VP of Products Paul Yung:

We would like to apologize for a security incident that we have recently found in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191. A suspicious activity was identified on September 12th, 2017, where we saw an unknown IP address receiving data from software found in version 5.33.6162 of CCleaner, and CCleaner Cloud version 1.07.3191, on 32-bit Windows systems. Based on further analysis, we found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue. Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version. Users of CCleaner Cloud version 1.07.3191 have received an automatic update. In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.

The malware was used to gather intel on infected systems such as the computer’s name, list of installed software, currently running processes, MAC address, which apps were running with administrator privilege, and more. This type of information could potentially be used to formulate a strategy to breach a system.

CCleaner users are advised to immediately update to the most recent version of the software if they haven’t done so already.

Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *