It was reported that more than 2 million consumers have infected their devices by installing updated versions of a security app from the security provider Avast.
Cisco Talos announced that CCleaner 5.33 was discovered to be infected by a multistage malware attack. In addition, CCleaner Cloud v1.07.3191 contained the malware as well. The malware was downloaded approximately 2 billion times and infected 2.3 devices.
The image below (source: talosintelligence.com) provides information about the demographics of CCleaner consumers.
As seen from the statistics, CCleaner is available in 55 languages and was downloaded more than 2 billion times worldwide. In addition, CCleaner cleans approximately 35 million gigabytes every month and continues adding more than 5 million users a week.
“CCleaner is an application that allows users to perform routine maintenance on their systems. It includes functionality such as cleaning of temporary files, analyzing the system to determine ways in which performance can be optimized and provides a more streamlined way to manage installed applications,” Cisco Talos described CCleaner.
According to Bleeping Computer, Floxif collects data about compromised systems and transmits it back to the C&C server which is associated with it. The virus gathers information such as names, lists of installed software and running processes, MAC addresses and unique IDs identifying the PC. The malware operates on 32-bit systems on administrator accounts.
If the initial C&C server does not respond to the malware’s HTTP POST request, a domain generation algorithm (DGA) is used to establish a new location. The DGA can be measured applying values of year and month because the algorithm is based on time. Researchers at Cisco Tales investigated the DGA and erased the produced domains in order to prevent these domains being applied in the malware attacks.
The researchers also add that the malicious actors infected Avast’s supply chain. Just a month before the infected security versions appeared, the utility’s developer Piriform was purchased by Avast.
The change of the company’s ownership could potentially cause this supply chain attack.
Ondrej Vlcek, the chief technology officer of Avast, noted that “2.27 million is certainly a large number, so we’re not downplaying in any way. It’s a serious incident. But based on all the knowledge, we don’t think there’s any reason for users to panic.”
Users who downloaded the malicious antivirus should update the app manually in order to protect their devices from infection.