Avast's CCleaner compromised to deliver malware to unsuspecting users in August and September, warns Cisco Talos

Anti-virus firm Avast compromised in suspected supply-chain attack

CCleaner, Avast's popular PC tool that has been downloaded some two billion times, has been compromised in a supply-chain attack to deliver malware to unsuspecting victims.

Researchers from Cisco's Talos Intelligence said that, between August 15 and September 12 of this year, version 5.33 of CCleaner was legitimately signed, but contained a multi-stage malware payload that rode on top of the installation.

Cisco Talos suggested that, as there was a valid digital signature on the malicious CCleaner binary, portions of the development or signing process may have been compromised

As CCleaner is a popular application, with an estimated 2.27 million of the affected downloads installed on 32-bit Windows PCs, the researchers said that they "decided to move quickly", notifying Avast of its findings on the same day they discovered an issue so that the company could take the equally speedy action.

The researchers detected the malware in the app in 13 September while performing beta testing of a new exploit detection technology.

They identified suspicious activity from the CCleaner app, and found that the downloaded installation executable was signed using a valid digital signature, issued to Piriform (which was acquired by Avast, and was the initial developer of CCleaner). However, CCleaner wasn't the only application that came with the download.

Instead, it came with a malicious payload that featured a Domain Generation Algorithm (DGA) as well as hardcoded Command and Control (C2) functionality. This malicious version was being hosted directly on CCleaner's download server as recently as September 11 2017, the researchers claimed.

Cisco Talos suggested that, as there was a valid digital signature on the malicious CCleaner binary, portions of the development or signing process may have been compromised.

It is possible that an insider with access to either the development or build environments within the organisation intentionally included the malicious code

"Given the presence of this compilation artefact as well as the fact that the binary was digitally signed using a valid certificate issued to the software developer, it is likely that an external attacker compromised a portion of their development or build environment and leveraged that access to insert malware into the CCleaner build that was released and hosted by the organization," the researchers explained.

"It is also possible that an insider with access to either the development or build environments within the organisation intentionally included the malicious code or could have had an account (or similar) compromised which allowed an attacker to include the code," they added.

They determined that this was most likely a supply-chain attack, whereby attackers rely on the trust relationship between a manufacturer or supplier and a customer.

The malware would upload the data collected from each host to a command-and-control server. This server was quickly taken down by Avast after it was notified of the malware.

The Cisco Talos researchers recommended that affected systems - of which there could be thousands - should be restored to a state before August 15 2017 or reinstalled.

Updating to CCleaner 5.34 ought to remove the malware, the company claimed.

It added: "There is no indication or evidence that any additional 'malware' has been delivered through the backdoor. Therefore, the only malware to remove is the one embedded in the CCleaner binary itself. In the case of CCleaner Cloud, the software was automatically updated."