Backdoor Discovered in CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191

On September 13, researchers at Cisco Talos detected a malicious executable being automatically delivered to endpoints via legitimate servers hosting the CCleaner software, a popular computer maintenance utility. After further analysis, they determined that CCleaner’s installation file had been replaced with a tainted version that contained a malicious binary and included a command-and-control function as well as a domain generation algorithm. Users who downloaded and installed the Windows 32-bit version of CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 from the Piriform website or had their current version set to automatically update between August 15 and September 12 are likely impacted. Avast, the company who bought CCleaner from Piriform in July, released updates designed to remove the malicious binary from the compromised software versions. The NJCCIC recommends users and administrators of CCleaner and CCleaner Cloud review Avast’s security notification and Cisco Talo’s blog post, and update to the latest version of the affected software as soon as possible. Additionally, we recommend administrators identify, isolate, and scan any computers that ran the compromised versions of CCleaner and CCleaner Cloud and consider wiping and restoring affected systems from backups that predate the installation. Lastly, review all event and security logs for anomalies and unauthorized access during the timeframe that infected systems were active on the network. 

Please review our recent threat analysis report titled, "Supply Chain: Compromise of Third-Parties Poses Increasing Risk."

AlertNJCCICCCleaner