Table of Contents
One of the most popular computer cleaning and optimization program CCleaner (by Avast) was hacked and used for spreading malicious Trojan. Hackers injected malware’s code to the original software’s executable. Thus, when users downloaded the software from the official website, they were installing data-stealing Trojan as well. The corrupted version of programs was available from August 15 to September 12, 2017. According to the latest data, more than 2 million users might be infected with a virus.
The supply chain attacks are effective because they depend on user’s trust. Typically users download programs from a trusted developer and do not suspect that something might be dangerous. However, the trust can be broken easily by cyber criminals. In this situation, they managed to inject Floxif malware to the main program’s executable – Ccleaner.exe. Researchers detected two affected versions of the program – CCleaner (5.33.6162) and CCleaner Cloud (1.07.3191).
According to the security researchers, Floxif mostly works as a keylogger, meaning it could steal various information about the targeted device and its owner. However, it might also install other malicious programs or ransomware virus if it receives such command from its Command and Control (C&C) server.
Key characteristics of the Floxif malware
Cisco Talos researchers detected that CCleaner 5.33 binary included a Domain Generation Algorithm (DGA) and Command and Control (C&C) functionality which allows criminals perform various malicious tasks on the affected computer. However, malware might be executed on 32-bit Windows OS only.
On the affected device malware replaces the original CBkdr.dll file with a corrupted one. Furthermore, it downloads another DLL file – symsrv.dll – to C:\Program Files\Common Files\System\symsrv.dll directory. The Trojan also modifies and create new Windows Registry entries and tries to delete important system files by connecting to particular windows APIs.
Malware researchers suspect that the Trojan might be related to hacking groups known as APT 17 and Group 72. According to the latest data, hackers are most likely located in China. However, there’s always a chance that this detected location is not real. It might be just a clever trickery to mislead researchers, investigators and authorities.
Data tracking – the main task of the Trojan
Floxif can communicate with its C&C server in order to collect and transfer a bunch of information, such as:
- computer’s name;
- unique IDs;
- the list of installed programs;
- the list of running processes;
- AC addresses of the first three network adapters.
However, the virus might also steal personal information, for instance, login details or credit card information. It operates as a keylogger, so it might be capable of accessing any sensitive and personally identifiable information. Therefore, Floxif attack might lead even to identity theft or money loss.
Trojan might install malware too
The researchers also discovered that CCleaner malware might install other malicious programs too. For instance, it might be used for installing file-encrypting viruses. Ransomware attack might occur as soon Trojan connects to its remote server and receives such task.
Therefore, the virus might work not only as a data-stealing Trojan but as a malware distribution channel too.
Big technology companies were hit by the CCleaner malware as well
The primary research data warned that more than 2 million home computer users might have suffered from the malware. However, the recent information reveals that about 20 technology companies may have hit by CCleaner 5.33 virus too. Thus, the attack is even worse than it was expected at first.
Cisco, the company that detected the virus, is one of the victims of malware. Floxif also hit:
It seems that cyber criminals used a targeted attack and used another payload to attack company networks. It is reported that malware may have compromised more than one computer owned by some of the corporations. However, it’s unknown yet if any of sensitive data was breached or not.
Update to latest CCleaner version is a must to get rid of the Floxif Trojan
People who downloaded CCleaner during August 15 – September 12th period, are advised to update from 5.33 version to 5.34 (or newer). However, security experts warn that updating may not be enough. Potential victims should also restore computers to the state before August 15. It is also recommended to obtain reputable antivirus utility and run a full system scan.
It’s possible that Floxif virus installed malicious components, malware or got remote access to the affected computer. Thus, you have to get rid of these dangerous entries to protect your data and privacy. Therefore, we highly recommend checking your computer’s security in order to avoid money loss, identity theft or other possible problems.
Is it safe to download CCleaner now?
The corrupted version of the program is no longer available on the download website. Therefore, users can download and use this Avast tool without any worries. However, do not forget that third-party sources might spread malicious 5.33 version. Thus, if you need CCleaner, please use official download server only.