It has been discovered that Piriform’s CCleaner, owned by antivirus provider Avast, was found to be hosting a “multi-stage malware payload” that could install ransomware or keyloggers and further infect target computers on command, according to an analysis by threat intelligence firm Cisco Talos
“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” Cisco Talos said in a statement. According to Avast, about 2.27 million people ran the hacked software which was downloaded from an infected server.
The malware was discovered by Cisco Talos on September 13, and Avast was notified immediately. “During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. We confirmed that this malicious version of CCleaner was being hosted directly on CCleaner’s download server as recently as September 11, 2017,” said Cisco Talos.
The impact from the malware could have been more damaging than it was. CCleaner has been downloaded more than 2 billion times according to Avast, making it a popular target for hackers. Dubbed the “crap cleaner,” it’s designed to remove rogue programs and wipe out cookies and offer some web privacy protections.
“By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates,” said Cisco Talos researchers, in a blog post, reports Engadget.
Talos says the attack vector isn’t new, but it is being seen more frequently in the last few months. The virus is a version of the “Petya” ransomware and like the WannaCry virus that wreaked international havoc in May, it appears to take advantage of a Microsoft Windows flaw uncovered by the NSA and published online by hackers.
At one time, hackers would make fake alternatives of popular applications and trick people into downloading them. Now, it’s easier to attack the download source, gaining access into legitimate servers. It’s a trend that many security researchers will be monitoring closely, to catch the latest innovative ways that hackers are breaching multiple systems, according to the Verge.
“This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world,” Cisco Talos warns. “Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected.”