Avast’s recent acquisition, CCleaner, was hacked to distribute a multi-stage malware backdoor signed with its own certificate.This hack could affect millions of people.
According to an analysis by Cisco Talos, the servers used by Avast, the company that owns CCleaners, were comprised to distribute the malware.
“For a period of time, the legitimate signed version of CCleaner 5.33 being distributed by Avast also contained a multi-stage malware payload that rode on top of the installation of CCleaner,” Cisco Talos said in a statement.
CCleaner has well over 2 billion downloads by late last year and gains about 5 million users each week.
The malware was part of the signed installer for CCleaner v5.3 and included code that called back to a command-and-control server as well as a domain-generation algorithm intended to find a new C&C server if the hard-coded IP address of the primary server was lost. Copies of the malicious software installer were distributed to CCleaner users between August 15 and September 12, 2017, using a valid certificate issued to Piriform Ltd by Symantec.
The hard-coded IP address pointed to a server at the virtual dedicated hosting service ServerCrate, which was taken down after the malware was reported to Avast.
Cisco Talos immediately notified Avast of the security breach, due to the damage potential.