24, the company released a non-malware tainted version on Sept.
Piriform confirmed the attack, saying Avast “determined on the 12th of September that the 32-bit version of our CCleaner v and CCleaner Cloud v products, which may have been used by up to 3% of our users, had been compromised in a sophisticated manner.” A non-backdoored version of CCleaner was released the same day.Īs for the compromised cloud version, CCleaner Cloud v, which was released on Aug. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.”
The primary infection Command server has been taken offline, as has a secondary server.Īccording to Talos, the Virus Total regimen for checking antivirus products against a submitted sample turned up only one AV package that correctly identifies this infection, " Talos researchers said, “It is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. Talos published very convincing logs of attempts by infected machines to hook into the bot Command sites. If you install CCleaner 5.33, your machine hooks into a bot network. The details are complex, but the upshot is clear: Somebody managed to tack a malware package onto the legitimate distribution file for CCleaner. If you installed CCleaner 5.33, you're infected During the installation of CCleaner 5.33, the 32-bit CCleaner binary that was included also contained a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. …Įven though the downloaded installation executable was signed using a valid digital signature issued to Piriform, CCleaner was not the only application that came with the download. For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner. Talos recently observed a case where the download servers used by software vendor to distribute a legitimate software package were leveraged to deliver malware to unsuspecting victims. Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams at Talos report:
0 kommentar(er)
