If later you updated to v5.34, this doesn't remove the malware's registry, just replaces CCleaner's main (infected) EXE with a clean one, so you still need to clean that manually. The malware is run during CCleaner's installation/update/execution if these conditions are met:ĭuring the install, the malware creates the registry "HKEY_LOCAL_MACHINE\SOFTWARE\Piriform\Agomo", and somehow, saves certain information that uploads it somewhere during the installation and execution of CCleaner. If you downloaded it during that month, it is most likely that you may have it. Yep, the affected installer that had malware was up for almost a month, a nobody noticed. So I thought: "Whaaaaat? It must be a false positive." But as turns out, it wasn't (:P)Ī quick Google search result in many pages with the news from just a couple of days ago saying that the installer for v5.33 was modified by a group of hackers that injected some type of malware in the installer while was in Piriform's server ready for download, and downloaded more than 2 million times while was available from August 15 until September 12, when v5.34 replaced it. Time Scanner Object type Object Threat Action User Information Hash First seen hereĢ1-09-2017 0:57:15 Real-time file system protection file D:\data\_201\software\ccleaner\ccsetup533.exe Win32/CCleaner.A trojan cleaned by deleting Azrael-PC\Azrael Event occurred during an attempt to access the file by the application: C:\Windows\explorer.exe (4583DAF9442880204730FB2C8A060430640494B1). I thought: "But just the other day I updated to v5.34!", and then went to the folder where I keep the latest installers (just in case as a backup, for the programs I always use) to check the day I downloaded v5.34, when my antivirus automatically deleted the installer for v5.33, and this log showed up:
#Ccleaner cloud malware update
"These types of attacks are often successful because consumers trust that these well-known and broadly used applications are safe.After browsing the Internet tonight, I opened CCleaner v5.34 to clean up the system before shutting it down, when I found this message by CCleaner saying I should update to v5.35.
"Like the Nyetya malware in late June, in this instance attackers hacked into a legitimate, trusted application and turned it malicious," Cisco Talos concludes.
#Ccleaner cloud malware software
The attack is particularly dangerous because it exploits the trust consumers have with their software suppliers, a vector that has been seen before.
#Ccleaner cloud malware code
It is also possible that an insider with access to either the development or build environments within the organisation intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code. Given the presence of this compilation artifact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organisation.
0 kommentar(er)
