Why try to trick you into installing malware when you’ll do it voluntarily? That was the tactic used by attackers who infiltrated Avast’s servers and planted malicious software into CCleanup 5.33 recently. The malware was detected by Cisco Talos during some routine beta testing of their updated detection engine.
The methods used by the attackers, described in great detail at the Talos blog, were very sophisticated with lots of countermeasures taken in order to avoid detection. Talos notified Avast immediately, after finding the infected application last week.
In the period before detection, the affected version of CCleaner was downloaded about 2.27 million times.
While not a common form of attack, the method is highly effective as it exploits the trust between users and software vendors. Unlike the attack on Apple’s XCode almost exactly two years ago, which distributed XCodeGhost to software developers who downloaded a version of XCode being distributed through unauthorised third parties, this attack infected the software source at its point of legitimate point of origin.
The Talos researchers say the evidence points to either an insider attack or to a compromised developer account leading to the infected binaries being produced. Remediation is either restore the system to the state it was in at or before 15 August 2017 or rebuild the system.