A popular PC-cleaning software used by over 130 million people put users at risk after hackers were able to insert malware into legitimate downloads. Piriform's CCleaner, owned by antivirus provider Avast, was found to be hosting a "contained a multi-stage malware payload" that could install ransomware or keyloggers and further infect target computers on command.
According to Avast, around 2.27 million people ran the affected software, which was delivered via a hacked server. The impact is damaging, but considering that the application has amassed over 2 billion downloads and adds around 5 million new users each month, it could have been significantly worse. The company said it has already forced updates of the affected version and in its own words was "able to disarm the threat before it was able to do any harm."
Starting life as a "crap cleaner," CCleaner has earned a reputation for its ability to remove rogue programs and clear things like tracking cookies on Windows PCs. Users trust the brand, which makes it a prime target for attackers. "By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users' inherent trust in the files and web servers used to distribute updates," said Cisco Talos researchers, who discovered the threat, in a blog post.
The attack vector isn't a new one, but it's become a lot more prevalent in recent months. The Petya ransomware was distributed via a similar method and hackers also modified the Mac Bittorrent app Transmission on official servers to compromise users' computers.
In the past, attackers would create fake alternatives of popular applications and trick people into downloading them. The trend now, however, is to attack the download source directly and gain access to legitimate servers. Once they are in, it's a case of loading the trusted software with a nefarious payload, with the end-user being none the wiser.
"This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world," Cisco Talos warns. "Attackers have shown that they are willing to leverage this trust to distribute malware while remaining undetected."