The popular system tuning application „CCleaner“ was shipped with a „blind passenger“ for about a month. Researchers at Talos have found out that the version available on the official download site contained a piece of malware. There are two factors which make this case particularly interesting: for one, the application has a very broad user base. According to information from the manufacturer, the application has a total of around two billion downloads and counting. The number of affected users is therefore very high. The manipulated version of CCleaner was also signed with a valid certificate. These certificates are meant to ensure that an application comes from a trusted vendor. Therefore, someone with access to a stolen certificate can reach a very wide audience – unsigned applications are not executed by Windows unless additional settings are manipulated.
The manipulated version 5.33 of CCleaner was shipped between August 15 and September 12.. All G DATA solutions detect the version as Win32.Backdoor.Forpivast.A.
An amended version has already been released. Users who have the affected version installed are advised to update to version 5.34. The free versions of the program do not install the update automatically – in this case, users need to download the updated setup file manually and install it.
The fact that the infected version 5.33 had been signed with a valid certificate points to several potential security issues, ranging from a compromised certification process to a compromised certification authority.
However, spreading malware that was signed with a valid certificate or malware-laden versions of legitimate programs via official channels is by no means a new phenomenon. In the past, similar things happened to a Torrent-Client for Mac as well as a Linux-Distribution. The „Petna“ malware used the update infrastructure of an accounting software.
Malware authors appear to go to ever greater lengths in order to infect as many machines in the shortest possible amount of time. The supply chain is a very valuable target for this. If an attacker can successfully compromise the supply chain of a vendor, this has far-reaching consequences – this is also something that has happened already in the past.
It appears that the compromise of CCleaner has more far-reaching consequences. According to Talos, there are clear indications that point to the tainted 5.33 version of CCleaner downloading additional malware, if the infected machine is located in the network of one of several high-profile tech companies. The targeted organizations include companies like Microsoft, Samsung, Cisco and Sony as well as telco companies such as Vodafone and even a manufacturer of gambling machines. These facts suggest that behind the compromise is a long-standing and well-planned industrial espionage scheme. The probable objective of this is to syphon off intellectual property from the targeted organizations. This can then be used for anything from resale or “active business development” to seeking out vulnerabilities in IT products, which in turn can be used to mount further attacks or to compromise devices “out of the box”. There is circumstantial evidence, which links the campaign to an APT group called Group 72, which has had a similar target profile in the past. As of this writing, however, this is purely speculative– after all, attribution is often very difficult in this type of scenario.