Attackers hijacked and hid malware inside Avast’s CCleaner application which was available for download between August 15 snd September 12, 2017. Anyone who downloaded the 5.33 version product or updated their existing product during this timeframe became infected.
On September 13, 2017, Cisco Talos notified Avast so that they could begin corrective action. At this time the version containing the malware has been removed and is no longer available for download. However, many consumers remain at risk – and will remain at risk even after updating their CCleaner software.
Billing itself the “world’s most popular PC cleaner and optimization tool,” Avast’s CCleaner is trusted by consumers to speed up PC and smartphone performance by removing unneeded/necessary files. As recently as November 2016, CCleaner boasted 2 billion downloads with a growth rate of 5 million users per week.
Once the malware was installed, attackers could potentially gain access to the user’s computer and other connected systems to steal sensitive personal data and/or credentials that could be used for online banking or other online activities.
Like the Nyetya malware in late June, in this instance attackers hacked into a legitimate, trusted application and turned it malicious. These types of attacks are often successful because consumers trust that these well-known and broadly-used applications are safe. Criminals are exploiting that trust.
WHAT TO DO
Because the malware remains present, even after users update the CCleaner software, Talos advises all users to wipe their entire computer — remove and reinstall everything on the machine — and to restore files and data from a pre- August 15, 2017 backup, before the current version would have been installed.
It is critical to remove this version of the CCleaner software and associated malware, since it’s structure means it has the ability to hide on the user’s system and call out to check for new malware updates for up to a year.