A big incident regarding web security and viruses has been showing its ugly head. This time by the hands of the well-known Disk Cleaner tool CCleaner. Version 5.33 of the CCleaner app offered for download between August 15 and September 12 was modified to include the Floxif malware, according to a report published by Cisco Talos.
The Floxif malware is a malware downloader that gathers information about infected systems and sends it back to its C&C server. This malware put a lot of machines that had the program at risk of having their data leaked. But it needed to have administrator permissions to run properly, otherwise it would shut itself down.
The malware collected information such as computer name, a list of installed software, a list of running processes, MAC addresses for the first three network interfaces, and unique IDs to identify each computer in part. Researchers noted that the malware only ran on 32-bit systems, while 64 bit systems were in the clear.
The people at Cisco Talos found the problem while running tests their latest exploit detection technology. They found out that CCleaner 5.33 was making calls to suspicious domains. This would usually happen if the circumstances were those of pirated software. But the CCleaner installer was downloaded from the official website and was signed using a valid digital certificate. Below you can see how the virus worked:
The theory currently states that a threat actor might have compromised Avast’s supply chain and used its digital certificate to replace the legitimate CCleaner v5.33 app on its website with one that also contained the Floxif trojan. However, by the time of this writing nothing has been confirmed on the issue.
“Before delving into the technical details, let me say that the threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the attacker, and we’re moving all existing CCleaner v5.33.6162 users to the latest version.” Said Paul Yung, VP of Products in an Official post. “In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.”
In an e-Mail provided to Bleeping Computer, Avast CTO Ondrej Vlcek mentioned that updating to the latest version of CCleaner and CCleaner Cloud version will delete the Rogue malware. “The only malware to remove is the one embedded in the CCleaner binary itself. There is no indication or evidence that any additional “malware” has been delivered through the backdoor”
This seems to be a threat that came up and died, but the people reading this article must remember that this has been happening for a month. It’s important to update the CCleaner apps to the latest versions and also to constantly scan with your Antivirus of preference for threats.