C Cleaner popular software used to clean up unnecessary files in your PC. Avast acquired C Cleaner’s UK maker, Piriform, in July, the product had 130 million users. The malicious program authorized into C Cleaner software. The tool is an optimization utility for Windows and Android.
The company Piriform warned customers that the Windows 32-bit edition of version 5.33.6162 of CCleaner, and version 1.07.3191 of CCleaner Cloud, were illegally modified before it was released to the public. This was used to infect PCs can run code from the attacker’s remote IP address.
Cisco’s Talos cybersecurity
The versions of CCleaner and CCleaner Cloud released on August 15 and August 24, respectively. The software used by up to three percent of its users. The attack targeting CCleaner users discovered by researchers at Cisco’s Talos cybersecurity team. Reported its findings to Prague-based antivirus firm, Avast, on September 13.
About 2.27 million users had the affected software installed on 32-bit Windows machines. According to Piriform, PCs with the compromised versions would transmit the computer’s name, IP address, a list of installed software, a list of active software, and list of network adapters to a third-party server located in the US. The company explains as non-sensitive data used to profile affected PCs.
Meanwhile, After collecting the data, the malware downloaded a second stage payload from the third-party server. As the payload encrypted, Piriform hasn’t explained its functionality. However this payload executed and believes its activation is highly unlikely.
Piriform says Avast detected suspicious activity on its download server a day ahead Cisco’s notification. But hadn’t warned the public until today due to its cooperation with US law enforcement. Involved shutting down the affected server on September 15.
Moreover, working with US law enforcement, this server made to shut down on the 15th of September. The law enforcement agency’s investigation to have gone public with this before the server disabled and completed our initial assessment, the company said in a statement.
The company has worked to remove affected versions that distributed on third-party download sites. It also pushed a notification to CCleaner users to update to version 5.3, which doesn’t contain compromised code, while automatically updating CCleaner Cloud to a clean version. Avast Antivirus users also got an automatic update. CCleaner users who haven’t updated need to do so manually.
In addition, Cisco’s Talos team note the affected version of C Cleaner signed with valid certificate that Symantec issued to Piriform. The researchers believe an external attacker compromised part of Piriform’s development environment to plant malware in C Cleaner.