CCleaner and CCleaner Cloud Malicious Backdoor Vulnerability

A supply chain attack was discovered in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191, both 32-bit builds. The attack involved a malicious pre-entry-point loader that redirected execution to a custom loader. This loader decoded an embedded blob into shellcode, which was then executed in memory. The payload performed anti-analysis checks, collected telemetry data from the host, and exfiltrated this data to command and control (C2) servers via HTTPS. The malware also had the capability to persist on the system and potentially move laterally within a network.

Impact

The backdoor allowed for unauthorized data collection and exfiltration, executed malicious payloads in memory to avoid detection, and established persistence on infected systems. The malware also had the potential for lateral movement within networks.

Reproduction

The vulnerability was introduced during the software build process, likely by an external actor or a compromised insider account, after CCleaner was acquired by Avast. The malicious version was distributed through the official CCleaner download servers.

Remediation

Users are advised to update to the latest version of CCleaner. Version 5.34 is available for download on the CCleaner website. For CCleaner Cloud users, version 1.07.3214 is the recommended update.