Hackers have successfully tainted Avast-owned security application CCleaner with malware, reports said.
Researchers have discovered that a malware has been injected into the app, which was distributed to millions of users.
“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-staged malware payload that rode on top of the installation of CCleaner,” said Cisco Talos team of security researchers.
The hijacked app is a maintenance and file cleaning software run by Piriform, a subsidiary of the anti-virus firm Avast. Since the app claims to have around 2 billion downloads, with 5 million extra per week, the threat seems to be severe. The threat was discovered on September 13 after Talos researchers found out that CCleaner 5.33 caused its systems to flag malicious activity.
The attack was considered as a sophisticated one, since it has penetrated an established and trusted supplier with a manner similar to June’s “NotPetya” ransomware outbreak, in which a Ukranian accounting app was infected.
“There is nothing a user could have noticed,” Talos researcher Craig Williams said. He also noted that the software sported a proper digital certificate, which enables it to be trusted by other computers.
Deeper investigation revealed that the CCleaner download server has been hosting the backdoored app as far back as September 11.
On the other hand, the appmaker stated that all the data were encrypted, and thus were unlikely to be accessed. 2.27 million users ran the affected software, according to Avast’s own data.
“The threat has now been resolved in the sense that the rogue server is down, other potential servers are out of the control of the hacker,” said Paul Yung, who is the vice president of product at Piriform. “In other words, to the best of our knowledge, we were able to disarm the threat before it was able to do any harm,” he added.
This claim was met with skepticism.
“I have a feeling they are downplaying it indeed,” said Virus Bulletin editor Martijn Grooten. “As I read the Cisco blog, there was a backdoor that could have been used for other purposes. This is pretty severe. Of course, it may be that they really stole… ‘non-sensitive data’…but it could be useful in follow-up targeted attacks against specific users,” Grooten added.
Avast chief technical officer Ondrej Vlcek said, “2.27 million is certainly a large number, so we’re not downplaying in any way. It’s a serious incident. But based on all the knowledge, we don’t think there’s any reason for users to panic. To the best of our knowledge, the second-stage payload never activated…It was prep for something bigger, but it was stopped before the attacker got the chance.”
“This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world. By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates,” Talos researchers concluded.
Yung said that the company wouldn’t speculate on how the attack was made possible or possible perpetrators. They have advised concerned users to head to the Piriform website to the download the latest software.
BWorldFinance is your primary source of news in the financial market, technology, and more. Visit bworldfinance.com now and get the latest happenings on the market.