Hackers have successfully breached CCleaner’s security to inject malware into the antivirus app and distribute it to million of users.
Security researchers at Cisco Talos discovered that download servers used by Avast (the company that owns CCleaner) were compromised to distribute malware inside CCleaner.
“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” says the Talos team.
CCleaner has been downloaded more than 2 billion times according to Avast, making it a popular target for hackers. Dubbed “crap cleaner,” it’s designed to wipe out the types of malware that hackers started distributing in its update mechanism, It’s not clear exactly how many CCleaner uses were affected by the breach, but Talos reports that around 5 million people download it each week. This is an unusual attack as antivirus software is trusted by consumers and meant to protect against this type of malware.
“By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates,” says Talos.
Earlier this year, Ukrainian company MeDoc was breached and its update servers used to distribute the Petya ransomware. Hackers appear to be targeting these types of distribution points to more easily spread malware, instead of the traditional way of attacking individual machines themselves. It’s a trend that many security researches will be monitoring closely, to catch the latest innovative ways that hackers are breaching multiple systems.