CCleaner, a widely used software application for maintenance and cleaning tasks on Windows, has fallen victim to a dangerous hacking incident. Piriform, the original developer of CCleaner, was recently acquired by Avast, a renowned cybersecurity company, with the aim of enhancing both products and expanding their market presence. Typically, developers digitally sign their applications, providing users with the assurance of using legitimate software. However, for various reasons, these signatures can fall into the wrong hands, leading to malware signing and deceptive distribution, as recently discovered in the CCleaner program.
The hidden threat:
In a recent report by Cisco's Talos security company, several compromised versions of CCleaner were identified, being exploited by hackers to distribute malware to unsuspecting users. During testing of a new exploit mitigation software, Talos experts detected unexpected alerts within the legitimate CCleaner installer, specifically in version 5.33. These malicious versions had been circulating through official download servers for a considerable period, evading suspicion. While the CCleaner version itself remained legitimate, it was the installer that concealed the surprise.
The revealed exploitation:
Although detailed information about how the CCleaner installer's signature was compromised has not been disclosed, it is important to note that this software had been using insecure signatures from Symantec, which have been a cause for concern for some time. It is likely that hackers stole the signature, but there is also a possibility that they completely bypassed security measures, representing a more serious threat. This implies that hackers could have tampered with other applications, potentially without users' awareness.
The hidden payload:
Analyzing the CCleaner installer downloaded from the company's servers, Talos security experts discovered that, in addition to the Windows cleaner itself, the installer also downloaded a payload known as the "Domain Generation Algorithm" (DGA). This payload included instructions to connect to a command-and-control (C&C) server to receive additional commands. Both CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191, released in August, were compromised by this malware. Users who downloaded either of these applications between August 15 and September 12 are at risk of infection.
Mitigating the threat:
Security experts confirm that the control servers were shut down on September 15, greatly containing the threat. However, it is strongly recommended to update to the latest version, CCleaner 5.34, which has removed the malware and is considered safe again. As for removing the exploit, it is only a matter of time before security applications update their databases to detect and remove the threat, which is currently harmless.
The hacking incident involving CCleaner has raised serious concerns about the integrity and security of widely trusted software applications. Users are urged to remain vigilant and promptly update their CCleaner software to the latest version to mitigate any potential risks. Developers and cybersecurity companies must work together to ensure the robustness of digital signatures and protect users from future breaches of this nature.