Piriform Hacked, CCleaner August Versions (v5.33.6162) Injected, Compromised

LogitechFan · Sep 19, 2017

Moreover, the current version that is distributed by Download.com (the link is on the piriform website as of this morning) is actually detected by Malwarebytes during the installation (tried it today). All I can say is - fucking insane! Will never use this POS again, and so should you.

TheDeeGee · Sep 19, 2017

My NOD32 alerted me this morning, and removed it while Windows was still starting programs ^^

Win32/CCleaner.A - Object: C:\Program Files\CCleaner\CCleaner.exe
Win32/CCleaner.B - Object: Werkgeheugen = CCleaner.exe

Strangely enough that's the 64-Bit Program Files folder... even though they said only 32-Bit is affected.

Also ran a scan with Immunet to be sure, nothing else found, nor anything in the registery named Agomo.

rtwjunkie · Sep 19, 2017

TheDeeGee said:
My NOD32 alerted me this morning, and removed it while Windows was still starting programs ^^

Win32/CCleaner.A - Object: C:\Program Files\CCleaner\CCleaner.exe
Win32/CCleaner.B - Object: Werkgeheugen = CCleaner.exe

Strangely enough that's the 64-Bit Program Files folder... even though they said only 32-Bit is affected.

Also ran a scan with Immunet to be sure, nothing else found, nor anything in the registery named Agomo.

The whole thing installs into the 64 bit Program Files folder. In there you should find both executable.

TheDeeGee · Sep 19, 2017

rtwjunkie said:
The whole thing installs into the 64 bit Program Files folder. In there you should find both executable.

Interesting.

That means the Auto Cleanup Feature on Startup uses the 32-Bit Exe...

That's why my NOD32 went off.

Mindweaver · Sep 19, 2017

Here is how you can check to see if you were infected.

remixedcat · Sep 19, 2017

Steevo said:
I love the new Discover card alerts ad, they should alert everyone that Equifax is a dangerous website and has compromised their future credit due to hiring a music teacher/director for "diversity".

Best reply in here!

kn00tcn · Sep 21, 2017

MrGenius said:

that was regarding the multiple replies in this thread insulting the equifax security person having a music background, implying they cannot manage security

DeathtoGnomes · Sep 21, 2017

kn00tcn said:
that was regarding the multiple replies in this thread insulting the equifax security person having a music background, implying they cannot manage security

if the shoe fits! :rolleyes:

Frick · Sep 22, 2017

Were you using the infected version? Format and reinstall.

The second stage appears to use a completely different control network. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks.

"When you look at this software package, it's very well developed," Williams told Ars. "This is someone who spent a lot of money with a lot of developers perfecting it. It's clear that whoever made this has used it before and is likely going to use it again."

Stage one of the malware collected a wide assortment of information from infected computers, including a list of all installed programs, all running processes, the operating-system version, hardware information, whether the user had administrative rights, and the hostname and domain name associated with the system. Combined, the information would allow attackers not only to further infect computers belonging to a small set of targeted organizations, but it would also ensure the later-stage payload is stable and undetectable.

Now that it's known the CCleaner backdoor actively installed a payload that went undetected for more than a month, Williams renewed his advice that people who installed the 32-bit version of CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191 reformat their hard drives. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy.

The second stage seems to be targeted at things like Cisco, MS, Gmail, VMWare, Akamai and Samsung, but still. This is getting interesting.

System Name	TheDeeGee's PC
Processor	Intel Core i7-11700
Motherboard	ASRock Z590 Steel Legend
Cooling	Noctua NH-D15
Memory	Crucial Ballistix 3200/C16 4x8GB
Video Card(s)	Nvidia RTX 4070 Ti 12GB
Storage	Crucial P5 Plus 2TB / Crucial P3 Plus 2TB / Crucial P3 Plus 4TB
Display(s)	EIZO CX240
Case	Fractal Design Define 7
Audio Device(s)	Creative Sound Blaster ZXR, AKG K601 Headphones
Power Supply	Seasonic Fanless TX-700
Mouse	Logitech G500s
Keyboard	Keychron Q6
Software	Windows 10 Pro 64-Bit
Benchmark Scores	None, as long as my games runs smooth.

System Name	Bayou Phantom
Processor	Core i7-8700k 4.4Ghz @ 1.18v
Motherboard	ASRock Z390 Phantom Gaming 6
Cooling	All air: 2x140mm Fractal exhaust; 3x 140mm Cougar Intake; Enermax T40F Black CPU cooler
Memory	2x 16GB Mushkin Redline DDR-4 3200
Video Card(s)	EVGA RTX 2080 Ti Xc
Storage	1x 500 MX500 SSD; 2x 6TB WD Black; 1x 4TB WD Black; 1x400GB VelRptr; 1x 4TB WD Blue storage (eSATA)
Display(s)	HP 27q 27" IPS @ 2560 x 1440
Case	Fractal Design Define R4 Black w/Titanium front -windowed
Audio Device(s)	Soundblaster Z
Power Supply	Seasonic X-850
Mouse	Coolermaster Sentinel III (large palm grip!)
Keyboard	Logitech G610 Orion mechanical (Cherry Brown switches)
Software	Windows 10 Pro 64-bit (Start10 & Fences 3.0 installed)

System Name	TheDeeGee's PC
Processor	Intel Core i7-11700
Motherboard	ASRock Z590 Steel Legend
Cooling	Noctua NH-D15
Memory	Crucial Ballistix 3200/C16 4x8GB
Video Card(s)	Nvidia RTX 4070 Ti 12GB
Storage	Crucial P5 Plus 2TB / Crucial P3 Plus 2TB / Crucial P3 Plus 4TB
Display(s)	EIZO CX240
Case	Fractal Design Define 7
Audio Device(s)	Creative Sound Blaster ZXR, AKG K601 Headphones
Power Supply	Seasonic Fanless TX-700
Mouse	Logitech G500s
Keyboard	Keychron Q6
Software	Windows 10 Pro 64-Bit
Benchmark Scores	None, as long as my games runs smooth.

System Name	Tower of Power / Sechs
Processor	i7 14700K / i7 5820k @ 4.5ghz
Motherboard	ASUS ROG Strix Z690-A Gaming WiFi D4 / X99S GAMING 7
Cooling	CM MasterLiquid ML360 Mirror ARGB Close-Loop AIO / CORSAIR Hydro Series H100i Extreme
Memory	CORSAIR Vengeance LPX 32GB (2 x 16GB) DDR4 3600 / G.Skill DDR4 2800 16GB 4x4GB
Video Card(s)	ASUS TUF Gaming GeForce RTX 4070 Ti / ASUS TUF Gaming GeForce RTX 3070 V2 OC Edition
Storage	4x Samsung 980 Pro 1TB M.2, 2x Crucial 1TB SSD / Samsung 870 PRO 500GB M.2
Display(s)	Samsung 32" Odyssy G5 Gaming 144hz 1440p, ViewSonic 32" 72hz 1440p / 2x ViewSonic 32" 72hz 1440p
Case	Phantek "400A" / Phanteks “Enthoo Pro series”
Audio Device(s)	Realtek ALC4080 / Azalia Realtek ALC1150
Power Supply	Corsair RM Series RM750 / Corsair CXM CX600M
Mouse	Glorious Gaming Model D Wireless / Razer DeathAdder Chroma
Keyboard	Glorious GMMK with box-white switches / Keychron K6 pro with blue swithes
VR HMD	Quest 3 (128gb) + Rift S + HTC Vive + DK1
Software	Windows 11 Pro x64 / Windows 10 Pro x64
Benchmark Scores	Yes

System Name	RemixedBeast-NX
Processor	Intel Xeon E5-2690 @ 2.9Ghz (8C/16T)
Motherboard	Dell Inc. 08HPGT (CPU 1)
Cooling	Dell Standard
Memory	24GB ECC
Video Card(s)	Gigabyte Nvidia RTX2060 6GB
Storage	2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s)	Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case	Dell Precision T3600 Chassis
Audio Device(s)	Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply	630w Dell T3600 PSU
Mouse	Logitech G700s/G502
Keyboard	Logitech K740
Software	Linux Mint 20
Benchmark Scores	Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P

Piriform Hacked, CCleaner August Versions (v5.33.6162) Injected, Compromised

LogitechFan

TheDeeGee

rtwjunkie

PC Gaming Enthusiast

TheDeeGee

Mindweaver

Moderato®™

remixedcat

kn00tcn

DeathtoGnomes

Frick

Fishfaced Nincompoop

System Name	Dumbass
Processor	AMD Ryzen 7800X3D
Motherboard	ASUS TUF gaming B650
Cooling	Artic Liquid Freezer 2 - 420mm
Memory	G.Skill Sniper 32gb DDR5 6000
Video Card(s)	GreenTeam 4070 ti super 16gb
Storage	Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s)	1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case	Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s)	onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply	Corsair HX1000i
Mouse	Steeseries Esports Wireless
Keyboard	Corsair K100
Software	windows 10 H
Benchmark Scores	https://i.imgur.com/aoz3vWY.jpg?2

System Name	Black MC in Tokyo
Processor	Ryzen 5 5600
Motherboard	Asrock B450M-HDV
Cooling	Be Quiet! Pure Rock 2
Memory	2 x 16GB Kingston Fury 3400mhz
Video Card(s)	XFX 6950XT Speedster MERC 319
Storage	Kingston A400 240GB \| WD Black SN750 2TB \|WD Blue 1TB x 2 \| Toshiba P300 2TB \| Seagate Expansion 8TB
Display(s)	Samsung U32J590U 4K + BenQ GL2450HT 1080p
Case	Fractal Design Define R4
Audio Device(s)	Line6 UX1 + some headphones, Nektar SE61 keyboard
Power Supply	Corsair RM850x v3
Mouse	Logitech G602
Keyboard	Cherry MX Board 1.0 TKL Brown
VR HMD	Acer Mixed Reality Headset
Software	Windows 10 Pro
Benchmark Scores	Rimworld 4K ready!