2.27 million users installed a compromised version of CCleaner. Are you one of them?

by Gabriel E. Hall - -

CCleaner hack affected millions of computers worldwide

CCleaner 5.33 virus

CCleaner by Piriform is a top-rated PC optimization software trusted by billions (not millions!) of users worldwide. It is a completely legitimate system maintenance tool with a spotless reputation. Sadly, the company recently experienced something very unpleasant and what is publicly known as “supply-chain attack.”

It appears that hackers compromised company’s servers to inject malware into the legitimate version of the PC optimization tool, which successfully landed the malicious component on more than 2.27 million computers worldwide.

On September 18, 2017, Paul Yung, the vice president of Piriform, announced the hack in a troubling blog post. The VP apologized and stated that hackers managed to compromise CCleaner 5.33.6162 and CCleaner Cloud version 1.07.3191. It appears that these versions were illegally modified to set up backdoors on users’ computers.

The company took actions to take down the server that was communicating with the backdoor. It appears that the malware injected into the PC optimization software (known as Nyetya or Floxif Trojan) could transfer the name of the computer, list of installed software or Windows updates, running processes, MAC addresses of first three network adapters and even more data about the computer to a remote server.

Malware collects data from compromised systems

At first, experts discovered only the first stage payload. According to analysts, CCleaner 5.33 virus was capable of transmitting several types of data to its own database, including victims’ IP addresses, online time, hostnames, domain names, lists of active processes, installed programs and even more. According to experts from Talos Intelligence Group, “this information would be everything an attacker would need to launch a later stage payload.”

However, a little later malware analysts revealed CCleaner virus’ functionality to download the second stage payload.

It seems that the second payload only targets giant tech companies. To detect the targets, the malware uses a list of domains, such as:

  • Htcgroup.corp;
  • Am.sony.com;
  • Cisco.com;
  • Linksys;
  • Test.com;
  • Dlink.com;
  • Ntdev.corp.microsoft.com.

Remember that it is a shortened list of domains. After accessing the Command & Control database, researchers discovered at least 700,000 computers that responded to the server and more than 20 machines infected with the second stage malware. The second-stage payload is designed to allow hackers get a deeper foothold on tech companies’ systems.

Remove CCleaner malware and protect your privacy

According to Piriform, hackers managed to modify CCleaner 5.33 version before it was launched. The 5.33 version was released on August 15, 2017, meaning that criminals started to infect systems on that day. Reportedly, the distribution stopped on September 15th only.

Although some experts recommend updating CCleaner to 5.34 version, we are afraid that it might not be enough to root the backdoor out of your system. 2-Spyware experts recommend restoring your computer to pre-August 15 state and running anti-malware program. Also, to protect your accounts, we recommend changing all of your passwords using a safe device (such as your phone or another computer).

About the author

Gabriel E. Hall
Gabriel E. Hall - Passionate computer expert

Gabriel E. Hall is an expert troubleshooter who has been working in the information technology industry for years.

Contact Gabriel E. Hall
About the company Esolutions