According to reports from leading security companies, hackers injected malicious code into CCleaner, a popular PC cleaner tool. The CCleaner malware has affected around 2.27 million users.
According to the report, hackers have injected malicious code of data harvesting software that piggybacks on the CCleaner installer program. The company has mentioned the versions of CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191 are infected and has urged the users to upgrade to version 5.34 or higher.
Are you at risk?
Though the CCleaner malware infected 2.25 million PC’s between the period l August 15, 2017, to September 15, 2017, the main target of the malware was specific tech firms in US, Japan, Germany, Taiwan, and the UK.
The security report also mentioned the attackers were only interested in a specific subset of PC users who worked in tech firms. High profile technology companies like Sony, HTC, Samsung, and telecommunication companies like Vodafone, SingTel, and O2, and tech Intel, Cisco, VMware, Microsoft, Google, Linksys, Dlink Epson, MSI, and Akamai were some of the companies that were on the target list of the malware.
According to Cisco Talos report, the malicious code was intended for a sophisticated supply chain attack to infect a vast number of machines. The second payload of the attack was more complex and used anti-debugging and anti-emulation tricks.
What should you do to stay safe?
Avast has urged users to not only uninstall the infected version of CCleaner but also restore backups of their system to ensure no malware is resident on their systems.
Security experts advise users who installed the 32-bit version of CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191 to reformat their hard drives to make the attack in future more difficult. Simply uninstalling the compromised version of CCleaner will only clear the first stage infection of the malware.
What data did malware gather?
According to a report published on Piriform blog, the malware collected the following information
- Name of the computer
- MAC addresses of 1st three adapters
- List of installed applications including Windows updates
- List of running processes
- Additional information such as whether the system is running 64-bit OS and which applications are running with administrative privileges
Thus you can see the malware collected more information about the local system and is not intended to steal your personal or financial data. However, security experts see more risk in malware collecting local system information.
According to them, the attacker must have invested heavily in creating such intelligent fileless malware and the information collected by the malware in the first stage makes it easy for the attacker to deliver future payloads to the machine without being detected.
The possibility of future attack cannot be ignored
The way the malware infected machines is very clever. The malware was able to gain control of the digital signing of the certificate on the infected machines.
The malware continued to operate in stealth mode for 31 days which can be considered a major feat. Again after the delivery of the first payload, the attacker also distributed advanced second payload of the malware to specific machines. Researchers are not able to fully understand the execution and the intention of the second payload that increases the risk in future.
Though the CCleaner cloud version1.07.3191 was also compromised, the tool did not affect any Android users. Piriform has released a statement saying that the current threat is resolved and the rogue server is down and the potential servers are out of the control of the attacker.
The company is working with government and security agencies to analyze the threat and have assured users they will take the right steps internally to ensure they never face such risks in future.