![]() ![]() The malware was part of the signed installer for CCleaner v5.3 and included code that called back to a command-and-control server as well as a domain-generation algorithm intended to find a new C&C server if the hard-coded IP address of the primary server was lost. Copies of the malicious software installer were distributed to CCleaner users between August 15 and September 12, 2017, using a valid certificate issued to Piriform Ltd by Symantec. The program contains startup controls for Windows, major internet browsers and context menu entries. The program cleans unused, temporary and log files from your system, as well as traces of online activities such as Internet history and flash cookies. In a blog post this morning, Cisco Talos Intelligence's Edmund Brumaghin, Ross Gibb, Warren Mercer, Matthew Molyett, and Craig Williams reported that Talos had detected the malware during beta testing of a new exploit-detection technology. The malware has evolved, and the CCleaner attackers used both older and newer versions as they infiltrated Piriform and the 40 chosen machines infected with the malicious CCleaner updates. CCleaner is a feature-rich system optimization and privacy tool. When successful, they can give malware authors what amounts to the keys to the software developer's kingdom-their compilation tools and signing certificates, as well as access to their workflow for software updates. "Watering hole" attacks, such as the ones used against Facebook, Apple, and Twitter four years ago, are often used to compromise the computers used by software developers. It has been reported that a version of Piriform CCleaner.exe has been compromised/trojanized resulting in the installation of multi-stage backdoor capable of receiving instructions from threat actors on affected systems. A compromised software update server for Ukraine software vendor M.E.Doc was used to distribute the NotPetya ransomware attack in July. Software updates are increasingly being targeted by distributors of malware, because they provide a virtually unchecked path to infect millions-or even billions-of computers. The malware, which was distributed through the update server for the Windows cleanup utility CCleaner, was apparently inserted by an attacker who compromised the software "supply chain" of Piriform, which was acquired by Avast in July. There have been more than 2 billion downloads of CCleaner worldwide, so the potential impact of the malware is huge. ![]() ![]() Yara Rules win_ccleaner_backdoor_auto (20230407 | Detects win.ccleaner_backdoor.A software package update for a Windows utility product distributed by antivirus vendor Avast has been spreading an unsavory surprise: a malware package that could allow affected computers to be remotely accessed or controlled with what appears to be a legitimate signing certificate. It removes unused files from your system allowing Windows to run faster and freeing up valuable hard disk space. CCleaner is a popular tool for Windows to remove temporary files to free up disk space. References ⋅ Mandiant ⋅ Ken Proska, Corey Hildebrandt, Daniel Kapellmann Zafra, Nathan = ,ĬCleanup: A Vast Number of Machines at Risk On September 13th, Cisco Talos found that the official download of the free versions of CCleaner 5.33 and CCleaner Cloud also contained a malicious. CCleaner is a freeware system optimization, privacy and cleaning tool. CCleaner Free and CCleaner Professional can prompt you to clean files automatically with a notification (or without a notification). According to CrowdStrike, this backdoor was discovered embedded in the legitimate, signed version of CCleaner 5.33, and thus constitutes a supply chain attack. You can set up CCleaner for Windows to automatically clean junk files from your operating system and web browsers based on a file size threshold of your choice.
0 Comments
Leave a Reply. |