Piriform’s CCleaner, now owned by Avast, is one of the most popular and reputable PC cleaning apps. Last week, the companies announced that hackers had compromised recent versions of the application to include malware with its installer. In total, over 2 million people are thought to have downloaded one of the impacted versions.
In the wake of the discovery, Avast moved quickly to shut down its servers and start an internal investigation. Researchers at third-party companies have also been analysing the malware. Cisco said it’s discovered the attack was designed to infiltrate the world’s largest tech companies, including Samsung, Microsoft, Intel, VMware and Cisco itself.
The malware’s code includes a list of target domain names owned by “at least” 20 different tech firms. The code would look to see if the infected computer was running on one of the specified networks. If it was, a specialised secondary package would be downloaded, allowing it to infiltrate the machine.
The discovery raises questions about the identity and intentions of the malware authors. Cisco said the actor appears to be “sophisticated” and working with a specific purpose. Based on the organisations being targeted, the company speculated the malware may have been designed to steal trade secrets. The attacker was relying on CCleaner’s extremely wide distribution, even within enterprises, to gain a foothold into the corporate networks.
READ NEXT: Small businesses suffer as ransomware epidemic grows
“These new findings raise our level of concern about these events, as elements of our research point towards a possible unknown, sophisticated actor,” said Cisco. “These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.”
After previously suggesting alarm at the compromise was unnecessary, Avast has now acknowledged the attack seems to be more severe than first suspected. In a new blog post, it accepted Cisco’s findings and said it would be reaching out to the tech companies affected. Avast described the attack as a “typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select ones were.”
The investigation has now turned into a full inquiry into the compromise of Avast’s servers and the identity of the malicious actors. U.S. law enforcement has seized the control server behind the malware and efforts are underway to trace the cyberattack’s author. Cisco noted that the control script sets its timezone to match China’s, but warned this finding is far from sufficient to confirm a direct link.
Consumer users of CCleaner should upgrade to version 5.35 immediately to ensure their system is protected. It is not thought any other action is currently required because it’s becoming increasingly clear the malware did not target individuals. Corporate users should consider a full backup restore to before when the infected CCleaner version was installed. Those companies that feature on the malware’s “hit list” will be contacted by Avast in due course.
