CCleaner app found to be distributing malware

[Fish]

Attention. If you are using the cleanup app CCleaner, I would recommend uninstalling it immediately. I've warned about this shady app before. Turns out it is knowingly distributing malware in its code.

It was initially reported that malware was found, but it didn't appear that it had actually infected any computers. But a recent update to the story shows that it was much worse than that...

CCleaner malware outbreak is much worse than it first appeared

Microsoft, Cisco, and VMWare among those targeted with additional mystery payload.

The recent CCleaner malware outbreak is much worse than it initially appeared, according to newly unearthed evidence. That evidence shows that the CCleaner malware infected at least 20 computers from a carefully selected list of high-profile technology companies with a mysterious payload.

Previously, researchers found no evidence that any of the computers infected by the booby-trapped version of the widely used CCleaner utility had received a second-stage payload the backdoor was capable of delivering. The new evidence—culled from data left on a command-and-control server during the last four days attackers operated it—shows otherwise. Of 700,000 infected PCs, 20 of them, belonging to highly targeted companies, received the second stage, according to an analysis published Wednesday by Cisco Systems' Talos Group.
Because the CCleaner backdoor was active for 31 days, the total number of infected computers is "likely at least in the order of hundreds," researchers from Avast, the antivirus company that acquired CCleaner in July, said in their own analysis published Thursday.

From September 12 to September 16, the highly advanced second stage was reserved for computers inside 20 companies or Web properties, including Cisco, Microsoft, Gmail, VMware, Akamai, Sony, and Samsung. The 20 computers that installed the payload were from eight of those targeted organizations, Avast said, without identifying which ones. Again, because the data covers only a small fraction of the time the backdoor was active, both Avast and Talos believe the true number of targets and victims was much bigger.

More fileless malware

The second stage appears to use a completely different control network. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks.

"When you look at this software package, it's very well developed," Williams told Ars. "This is someone who spent a lot of money with a lot of developers perfecting it. It's clear that whoever made this has used it before and is likely going to use it again."

Stage one of the malware collected a wide assortment of information from infected computers, including a list of all installed programs, all running processes, the operating-system version, hardware information, whether the user had administrative rights, and the hostname and domain name associated with the system. Combined, the information would allow attackers not only to further infect computers belonging to a small set of targeted organizations, but it would also ensure the later-stage payload is stable and undetectable.

Now that it's known the CCleaner backdoor actively installed a payload that went undetected for more than a month, Williams renewed his advice that people who installed the 32-bit version of CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191 reformat their hard drives. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy.

The group behind the attack remains unknown. Talos was able to confirm an observation, first made by AV provider Kaspersky Lab, that some of the code in the CCleaner backdoor overlaps with a backdoor used by a hacking group known both as APT 17 and Group 72. Researchers have tied this group to people in China. Talos also noticed that the command server set the time zone to one in the People's Republic of China. Williams warned, however, that attackers may have deliberately left the evidence behind as a "false flag" intended to mislead investigators about the true origin of the attack.

[...]

[SuperChief]

Thanks for the heads up, Fish.

[Bowser]

Thanks.

I had it on my old phone that crapped out. It was in my app library on my replacement phone, but not installed. Removed it anyway.

[Bowser]

In light of the Equifax debacle and now this, it would appear hackers are progressing around two or three times the speed as those that try to stop them.

[InChiefsHeaven]

Damn, thanks for that. I use it on my home PC. I'll be taking that off when I get home.

[kcxiv]

The activity was discovered on September 12, and while Piriform says it's already patched CCleaner Cloud, users running CCleaner will need to upgrade immediately.

its already been patched.

[Demonpenz]

Damn I downloaded that shi to every folder, oh well I didn't pay shit for it.

[Boon]

Thanks for the information. Haven't used it but have heard of it.

[kcxiv]

again, its gotten patched like right after they found out someone got passed their backdoor. There is no malware in it if you have the current version of it.

[Fish]

It's a shit app, and always has been. I do not recommend using it, regardless of whether they say it's been patched.

[Simply Red]

Quote:

Originally Posted by Fish

It's a shit app, and always has been. I do not recommend using it, regardless of whether they say it's been patched.

will this interfere with porn?

[Fish]

Quote:

Originally Posted by Simply Red

will this interfere with porn?

Fear not, this will not affect your goat bestiality porn search settings in any way.