“Based on further analysis, we found that the version of CCleaner and the version of CCleaner Cloud was illegally modified before it was released to the public, and we started an investigation process. On September 13, Piriform released a new version of the CCleaner (5.34) and CCleaner Cloud version that do not contain the malware. Let’s remind that Avast owns Piriform that developed the CCleaner solution, the Antivirus solution firm bought it in July, a month before the tainted CCleaner 5.33 version was released. It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code.” continues Talos. “Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization. It is possible that attackers compromised the company system, but experts haven’t excluded that the incident was an insider’s job. Researchers speculate attackers have compromised the Avast’s supply chain to spread the Floxif trojan. later discovered that the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate.įurther investigation allowed Talos to discover that the tainted CCleaner version was deployed on the official website and was signed using a valid digital certificate. Given the potential damage that could be caused by a network of infected computers even a tiny fraction of this size we decided to move quickly” states the analysis published by Cisco Talos.Ĭisco Talos experts spotted the trojanized CCleaner app last week while performing beta testing of a new exploit detection solution, they noticed that a version of CCleaner 5.33 was connecting to suspicious domains. “CCleaner boasted over 2 billion total downloads by November of 2016 with a growth rate of 5 million additional users per week. “For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner.” reads the analysis published by Cisco Talos. The variant of Floxif malware spread by the crooks only works on 32-bit systems and victims must use an administrator account. The Floxif malware downloader is used to gathers information (computer name, a list of installed applications, a list of running processes, MAC addresses for the first three network interfaces) about infected systems and to download and run other malicious binaries.
0 kommentar(er)
