Most of us use CCleaner periodically as it would boost the PC performance, however, in a recent turn of events CCleaner is accused of injecting malware into the systems. The tool was part of a “security incident” wherein the users were updated with a digitally signed version of the software that eventually opened a malicious backdoor. The Security notifications further informed that both CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were compromised. Once it was offloaded, the malware would wait for five minutes before it checked if the user had admin privileges. In the next step, the malware stole information from the computer including the list of installed software, Windows updates, MAC addresses of network adapters and other related unique machine identities. All of this data was then parcelled to a US-based server.
The issue was first unearthed by researchers at Cisco Talos and the installer for CCleaner v5.3 was the culprit. However, unlike most of the other installer compromises, this one came with a valid digital certificate signed by Piriform. This is something that inadvertently points fingers at a foul play at either an organizational level or perhaps individual level. It’s quite likely that an external attacker was successful in compromising the build environment and the same made it to the production. Needless to say, the attacker could make use of this backdoor to infect millions of computers with the malware. This also points a finger at someone from the inside that had access to the development or the build organization. Piriform has removed the affected versions from the download server. That being said, if you are running CCleaner 5.33, it’s advisable to update to the 5.34 at the earliest and users of the free edition of CCleaner need to run a manual update as the build doesn’t offer automatic updates. And also scan the system with an anti-malware software.