CCleaner Hacked: 2.5 Million User Are Infected

"CCleaner Hacked" 2.5 Million User Are Infected

Floxif is a malware downloader that collects knowledge about infected orders and sends it back to its C&C server. The malware also had the capability to download and manage other binaries, but at the time of review, there is no indication that Floxif downloaded new second-stage payloads on infected hosts.





CCleaner, a subsidiary of anti-virus giant Avast and security software for Windows was compromised by hackers last month potentially allowing them to take control of a device by inserting a backdoor that might have downloaded malicious software including malware, ransomware, spyware or keyloggers – Currently, there are approximately 2.5 million affected users while the company claims it has had over 2 billion total downloads by November of 2016.network interfaces, and different IDs to identify each network in part. Researchers say that the malware only ran on 32-bit systems.

Cisco Talos security researchers discovered the tainted CCleaner app last week while conducting a beta examination of a new exploit detection technology.

Researchers recognized a version of CCleaner 5.33 production calls to suspicious domains. While originally, this seemed like another case where a user downloaded a false, malicious CCleaner app, they later learned that the CCleaner installer was downloaded from the official website and was confirmed using a valid digital certificate.



Cisco Talos considers that a threat actor might have agreed Avast’s supply chain and used its digital certificate to restore the legitimate CCleaner v5.33 app on its website with one that also included the Floxif trojan.


According to Michael Gorelik, “We strongly believe that each security vendor has the responsibility to inform software companies about threat discovered in their software. We were the first to contact Avast about the threat and shared all the information we could to help them. Luckily, we were able to heavily rely on the unique attack log our solution generates. We are happy to have contributed to the resolution of a threat concerning so many Avast users.”

It is unclear if this warning actor breached Avast’s operations without the company’s knowledge, or the wicked code was added by “an insider with a way to either the community or build environments inside the organization.”

Avast bought Piriform CCleaner’s new developer in July this year, a month before CCleaner 5.33 was published.





Piriform confirmed the incident in a blog post today. The organization said they found the malware in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191.