CCleaner is arguably one of the most popular tools when it comes to getting rid of the temporary files and the other trash files that get accumulated on your PC and smartphone. CCleaner is used by millions of internet users (including myself) in order to remove cookies and perform a cleanup. However, besides the clean interface and the powerful features the CCleaner apparently also has a dark side.

ccleaner found to be injecting malware that steals user data - ccleaner 1

Most of us use CCleaner periodically as it would boost the PC performance, however, in a recent turn of events CCleaner is accused of injecting malware into the systems. The tool was part of a “security incident” wherein the users were updated with a digitally signed version of the software that eventually opened a malicious backdoor.

The Security notifications further informed that both CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 were compromised. Once it was offloaded, the malware would wait for five minutes before it checked if the user had admin privileges. In the next step, the malware stole information from the computer including the list of installed software, Windows updates, MAC addresses of network adapters and other related unique machine identities. All of this data was then parcelled to a US-based server.

ccleaner found to be injecting malware that steals user data - ccleaner 3

The issue was first unearthed by researchers at Cisco Talos and the installer for CCleaner v5.3 was the culprit. However, unlike most of the other installer compromises, this one came with a valid digital certificate signed by Piriform. This is something that inadvertently points fingers at a foul play at either an organizational level or perhaps individual level.

The presence of a valid digital signature on the malicious CCleaner binary may be indicative of a larger issue that resulted in portions of the development or signing process being compromised. Ideally, this certificate should be revoked and untrusted moving forward. When generating a new cert care must be taken to ensure attackers have no foothold within the environment with which to compromise the new certificate. Only the incident response process can provide details regarding the scope of this issue and how to best address it. Cisco Talos

It’s quite likely that an external attacker was successful in compromising the build environment and the same made it to the production. Needless to say, the attacker could make use of this backdoor to infect millions of computers with the malware. This also points a finger at someone from the inside that had access to the development or the build organization. Piriform has removed the affected versions from the download server.

That being said, if you are running CCleaner 5.33, it’s advisable to update to the 5.34 at the earliest and users of the free edition of CCleaner need to run a manual update as the build doesn’t offer automatic updates. And also scan the system with an anti-malware software.

Was this article helpful?