The popular CCleaner application was hijacked and compromised to steal information from its users and send it to unknown individuals, announced Piriform, the company that made it. According to experts, the app has been compromised for a month or so.
This time, however, instead of penetrating a badly secured server and getting the data they want, the hackers managed to modify the code of CCleaner to gather details about its users` devices before the app was even launched. Piriform has not shared any specific information about how exactly the crooks succeeded in breaching their systems or how the executable was altered, but there is a short description of the event which you can read.
“An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.” – wrote the VP for Products at Piriform, Paul Yung.
The course of the attack
It looks like the hackers we planning a two-stage attack, but they didn’t manage to get to the second part. They compromised two versions of the CCleaner – the 1.07.3191 for the Cloud variant and the 5.33.616 for the 32-bit desktop release. The 64-bit version remained untouched and this was probably the crooks` intention in the first place as compromising this version wouldn’t have gone unnoticed.
Regarding the data gathered by the application and send to an unknown party, Paul Young stated that at this point there isn’t anything they can do. He said that the name of the computer, the list of running processes, the list of all installed software together with the Windows updates, the MAC address of the first three adaptors, as well as other running processes-regarding data, were collected and sent to an IP address.
The investigation of this case is still ongoing and Avast Threat Labs are taking part in it. All authorities have been informed about the problem and the company has released an update for all users. In the next couple of days, we will wait to see if the anything more will come up, helping to find the attackers` location as well as their actual intentions.