Disk cleaner tool CCleaner offered a free download for its newest version but also accidentally included the Floxif malware. The free app download ran from Aug.15 to Sept. 12.
This official report from Cisco Talos stated that the installer for the v5.33 of CCleaner contained an executable that was captured by their malware protection system. Upon this discovery, legitimate download servers have already delivered the installer to its various and specific endpoints. A digital certificate that contained the Floxif Trojan replaced the legitimate CCleaner v5.33 app on its website by compromising the supply chain of Avast.
Information about infected systems is downloaded by the Floxif malware and is then sent back to its Command and Control servers. Data will be leaking out from these infected machines. However, the malware will shut down automatically if it doesn't receive permission from the administrator to run is programs.
Mac addresses (for the first three network interfaces), running processes, installed software, the computer's name and unique ID tag that identifies it from other computers are some of the information that the malware will download. However, this malware can only run on 32-bit systems.
Piriform Vice President of Products, Paul Yung, extended his apologies to their customers on a company blog post. He further stated that the rogue server is now down and all threats have been resolved. All existing CCleaner v5.33.6162 users are being moved to the latest version of cleaner tool app and that the attacker of the system no longer has any control on servers.
Updating to the recent versions of the CCleaner app will automatically remove the malware, according to an e-Mail to Bleeping Computer by Avast CTO Ondrej Vlcek.
Vlcek further added, "There is no indication or evidence that any additional malware has been delivered through the backdoor." About 2.27 million machines installed the v5.33 but the issues can be fixed by removing the one malware embedded in the CCleaner binary.
