CCleaner, the popular PC tool that anti-virus software maker Avast only acquired when it bought Piriform in July, has been compromised in a supply-chain attack in August and September affecting as many as 2.27 million users.
Researchers from Cisco Talos that, between August 15 and September 12 of this year, version 5.33 of CCleaner was legitimately signed, but contained a multi-stage malware payload that rode on top of the installation.
As CCleaner is a popular application, with an estimated 2.27 million of the affected downloads installed on Windows PCs, the researchers said that they "decided to move quickly", notifying Avast of its findings on the same day they discovered an issue so that the company could take the equally speedy action.
The researchers detected the malware in the app in 13 September while performing beta testing of a new exploit detection technology.
They identified suspicious activity from the CCleaner app, and found that the downloaded installation executable was signed using a valid digital signature, issued to Piriform (which was acquired by Avast, and was the initial developer of CCleaner). However, CCleaner wasn't the only application that came with the download.
Instead, it came with a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. This malicious version was being hosted directly on CCleaner's download server as recently as September 11 2017, the researchers claimed.
Cisco Talos suggested that, as there was a valid digital signature on the malicious CCleaner binary, portions of the development or signing process may have been compromised.
"Given the presence of this compilation artefact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization," the researchers explained.
"It is also possible that an insider with access to either the development or build environments within the organisation intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code," they added.
They determined that this was most likely a supply-chain attack, whereby attackers rely on the trust relationship between a manufacturer or supplier and a customer.
The malware would upload the data collected from each host to a command-and-control server. This server was quickly taken down by Avast after it was notified of the malware.
The Cisco Talos researchers recommended that affected systems - of which there could be thousands - should be restored to a state before August 15 2017 or reinstalled.
Updating to CCleaner 5.34 ought to remove the malware, the company claimed.
It added: "There is no indication or evidence that any additional 'malware' has been delivered through the backdoor. Therefore, the only malware to remove is the one embedded in the CCleaner binary itself. In the case of CCleaner Cloud, the software was automatically updated."
Kicking Palantir off of AWS is among their demands, too
Rafaela Vasquez was watching The Voice at the time of the crash, new evidence shows
PUBG price slashed on Steam after selling more than 50 million copies - as daily player numbers plunge
Use the same password for every website? It might be time to change them all