This story is over 5 years old.


Malware-Infected CCleaner Installer Distributed to Users Via Official Servers for a Month

A backdoored installer was put onto the company's official servers, and millions of people likely downloaded it.
Immagine: CCleaner

Hackers have managed to embed malware into the installer of CCleaner, a popular Windows system optimization tool with over 2 billion downloads to date. The rogue package was distributed through official channels for almost a month.

CCleaner is a utilities program that is used to delete temporary internet files such as cookies, empty the Recycling Bin, correct problems with the Windows Registry, among other tasks. First released in 2003, it has become hugely popular; up to 20 million people download it per month.


Users who downloaded and installed CCleaner or CCleaner Cloud between Aug. 15 and Sept. 12 should scan their computers for malware and update their apps. The 32-bit versions of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were affected.

The compromise was detected by researchers from Cisco Systems' Talos group after one of the company's products triggered a malware detection on a CCleaner installer. A subsequent investigation revealed that it was not a false positive and that the executable program was indeed carrying a sophisticated backdoor program.

What's worse is that this is not a case where hackers took the CCleaner installer, modified it, and then distributed a malicious version through alternative means. Instead the backdoored program was distributed from the developer's official servers, as well as third-party download sites.

The rogue installer was digitally signed with the developer's legitimate certificate, which means the malicious code was added to it before it was signed. There is also a compilation artifact inside the executable suggesting it was compromised before compilation.

"Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization," the Cisco Talos researchers said in a blog post. "It is also possible that an insider with access to either the development or build environments within the organization intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code."


CCleaner was created by a company called Piriform that was acquired by antivirus maker Avast in July. The company issued a press release and a more detailed blog post in response to the incident.

According to the company, up to 3 percent of CCleaner users might have been impacted by this incident. CCleaner is downloaded at a rate of over 20 million times per month.

"At this stage, we don't want to speculate how the unauthorized code appeared in the CCleaner software, where the attack originated from, how long it was being prepared and who stood behind it," said Paul Yung, Piriform's vice-president of products, in a blog post. "The investigation is still ongoing."

Yung confirmed that a "two-stage backdoor" was added to the application's initialization code that's "normally inserted during compilation by the compiler."

The backdoor program is capable of downloading and executing additional malicious code and, according to the analysis by Cisco Talos, it uses a domain name generation algorithm (DGA) to find its command-and-control servers. With knowledge of the algorithm, attackers can predict which domain name the malware will try to contact on a specific date and can register it in advance so they can send commands.

"In analyzing DNS-based telemetry data related to this attack, Talos identified a significant number of systems making DNS requests attempting to resolve the domains associated with the aforementioned DGA domains," the Cisco Talos researchers said. "As these domains have never been registered, it is reasonable to conclude that the only conditions in which systems would be attempting to resolve the IP addresses associated with them is if they had been impacted by this malware."


Piriform pushed out an in-program notification to advise CCleaner users to upgrade to version 5.34 as soon as possible. CCleaner Cloud users received an automatic update from v1.07.3191 to 1.07.3214 and users of Avast Antivirus also received an automatic update.

Users who downloaded the affected CCleaner versions should scan their systems for malware and should restore them to a clean state before Aug. 15. If that's not possible, the Cisco researchers advise reinstalling the OS on the affected systems.

The number of supply chain attacks has been on the rise this year highlighting that software developers and systems engineers have become an attractive target for hackers. With access to a company's development or update infrastructure attackers can push malware to users in a way that is very hard to detect because it abuses a trusted software distribution channel.

For years, security researchers have advised users to only download software from the developer's website or to make sure the software updates they install are legitimate and weren't obtained from suspicious sources. That advice goes out the window with supply chain attacks.

Last month, researchers from antivirus vendor Kaspersky Lab found a backdoor program inside a popular enterprise connectivity software suite developed by a company called NetSarang Computer. The NotPetya ransomware attack that hit major companies in June started out in Ukraine with a rogue update for an accounting program called M.E.Doc and in May, Microsoft researchers detected a malware attack against financial organizations that was executed through the compromised update mechanism for a third-party editing tool.

Users of other operating systems are not safe from such attacks either. Earlier this year, hackers compromised a download server for HandBrake, a popular open-source video converter, and distributed a malware-infected version to macOS users. The popular Transmission BitTorrent client suffered not one, but two supply chain attacks last year.