News has emerged that an infected version of the popular PC and Android optimization software CCleaner has been spreading malware to large numbers of computer users. The revelation first hit the web on Monday morning, when the software’s developer Piriform published a blog post on the subject. The good news is that only people running the CCleaner on 32-bit Windows systems were affected.
Since the story first broke, the computer security firm Avast has announced that up to 2.27 million CCleaner users may have been affected by the malware that was hidden within official versions of the popular PC performance optimization software. Since then, research from Cisco has revealed that the true number of infections is lower, at around 700,000 PCs.
According to the blog post by Piriform, infected copies of CCleaner were disseminated between 15 August and 12 September. Piriform says that the versions of its software that were compromised are CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191.
Piriform is urging all CCleaner users to download version 5.34 or higher as soon as possible. It is worth noting that users of CCleaner Cloud will have received the update automatically. However, other CCleaner users may still be running the compromised version, so updating manually is extremely important for those consumers.
It is not yet known how hackers managed to hide the malevolent code within the official version of CCleaner. From Piriform’s blog post:
“We found that the 5.33.6162 version of CCleaner and the 1.07.3191 version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. We also immediately contacted law enforcement units and worked with them on resolving the issue.”
"Non Sensitive" Data Stolen
So far Piriform has been able to ascertain that the malware was communicating with a Command and Control (CnC) server located in the US. Hackers appear to have used the malware to harvest what the firm describes as “non-sensitive” data.
That data includes the user’s computer name, IP address, a comprehensive list of installed software on their machine, a list of active software, and list of network adapters. Piriform has informed users that:
“We have no indications that any other data has been sent to the server.
“Working with US law enforcement, we caused this server to be shut down on the 15th of September before any known harm was done. It would have been an impediment to the law enforcement agency’s investigation to have gone public with this before the server was disabled and we completed our initial assessment,”
Avast’s Involvement
Interestingly, the security giant Avast (which provides security products for computer users worldwide) only recently acquired CCleaner’s developer Piriform. That acquisition was finalized just two months ago, in July 2017. For this reason, the timing of the attack is a bit of a head-scratcher, to say the least. The fact that the malware made it onto an official version of CCleaner before it was released to the public could mean the hacker was working from the inside. Only time will tell.
A spokesperson on behalf of Avast has made the following comments:
“We believe that these users are safe now as our investigation indicates we were able to disarm the threat before it was able to do any harm.
“We estimate that 2.27 million users had the affected software installed on 32-bit Windows machines.”
Some Good News
Despite a large initial estimate of infections, it would appear that Piriform has been quite lucky. At the time of Avast’s acquisition, it was claimed that CCleaner has a whopping 130M active users, including 15M on Android. Due to the fact that the infection was limited only to versions of CCleaner running on 32-bit Windows PCs, it seems that a relatively small number of CCleaner users were affected (just 700,000 machines, according to Cisco).
Corporate Targets
Despite having targeted only a small number of CCleaner users, evidence has now emerged that the hackers were very specifically attempting to infect corporate targets. This revelation was uncovered by security experts who analyzed the CnC server used by the hacker.
Researchers at Cisco's Talos security division claim they have found evidence that 20 large corporations were specifically targeted for infection. Among those firms are Intel, Google, Samsung, Sony, VMware, HTC, Linksys, Microsoft, Akamai, D-Link, and Cisco itself. According to Cisco, in about half of those cases, the hackers managed to infect at least one machine. This acted as a backdoor for their CnC server to deliver a more sophisticated payload. Cisco believes that exploit was intended to be used for corporate espionage.
Interestingly, according to both Cisco and Kaspersky, the malware code contained within CCleaner shares some code with exploits used by Chinese government hackers known as Group 72, or Axiom. It is too early to tell, but this may mean that the cyberattack was a state-sponsored operation.
Research manager at Talos, Craig Williams, comments,
"When we found this initially, we knew it had infected a lot of companies. Now we know this was being used as a dragnet to target these 20 companies worldwide...to get footholds in companies that have valuable things to steal, including Cisco unfortunately."
Caught Early
Thankfully Piriform was able to spot the attack early enough to stop it from becoming much worse. Piriform’s vice president, Paul Yung, comments,
“At this stage, we don’t want to speculate how the unauthorised code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it.”
However, Cisco was quick to point out that for firms that were targeted (whom they have already contacted), simply updating CCleaner may not be enough, because the secondary payload may be concealed within their systems. It could be communicating with a separate CnC server to the one that has so far been uncovered. That means it's possible that even more exploits have been delivered onto those machines by the hackers.
For this reason, Cisco is recommending that all potentially infected machines be restored to a time before the contaminated version of Piriform’s software was installed on them.
TR/RedCap.zioqa
According to one CCleaner user, called Sky87, they opened CCleaner on Tuesday to check what version they had. At that point, the 32-bit binary was instantly quarantined with a message identifying the malware as TR/RedCap.zioqa. TR/RedCap.zioqa is a trojan that is already well known to security experts. Avira refers to it as,
“A trojan horse that is able to spy out data, violate your privacy, or perform unwanted modifications to the system.”
What to Do
If you're concerned about your version of CCleaner, check your system for a Windows registry key. To do so go to: HKEY_LOCAL_MACHINE >SOFTWARE >Piriform >Agomo. If the Agomo folder is present there will be two values, named MUID and TCID. This signals that your machine is indeed infected.
It is worth noting, that updating your system to CCleaner version 5.34 does not remove the Agomo key from the Windows registry. It only replaces the malicious executables with legitimate ones, so that the malware no longer poses a threat. As such, if you have already updated to the latest version of CCleaner and see the Agomo Key, this is not something to be concerned about.
For anybody who fears their system could be infected with a version of the TR/RedCap.zioqa trojan, the best advice is to use the free malware detection and removal tool SpyHunter. Alternatively, there is a step-by-step guide for removing the trojan here.
Opinions are the writer's own.
Title image credit: Screenshot of CCleaner logo.
Image credits: dennizn/Shutterstock.com, Vintage Tone/Shutterstock.com, Denis Linine/Shutterstock.com, Iaremenko Sergii/Shutterstock.com