• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Piriform Hacked, CCleaner August Versions (v5.33.6162) Injected, Compromised

Joined
Nov 19, 2014
Messages
113 (0.03/day)
Location
Toronto
Moreover, the current version that is distributed by Download.com (the link is on the piriform website as of this morning) is actually detected by Malwarebytes during the installation (tried it today). All I can say is - fucking insane! Will never use this POS again, and so should you.
 
Joined
Aug 2, 2012
Messages
2,020 (0.45/day)
Location
Netherlands
System Name TheDeeGee's PC
Processor Intel Core i7-11700
Motherboard ASRock Z590 Steel Legend
Cooling Noctua NH-D15S
Memory Crucial Ballistix 3200/C16 32GB
Video Card(s) Nvidia RTX 4070 Ti 12GB
Storage Crucial P5 Plus 2TB / Crucial P3 Plus 2TB / Crucial P3 Plus 4TB
Display(s) EIZO CX240
Case Lian-Li O11 Dynamic Evo XL / Noctua NF-A12x25 fans
Audio Device(s) Creative Sound Blaster ZXR / AKG K601 Headphones
Power Supply Seasonic PRIME Fanless TX-700
Mouse Logitech G500S
Keyboard Keychron Q6
Software Windows 10 Pro 64-Bit
Benchmark Scores None, as long as my games runs smooth.
My NOD32 alerted me this morning, and removed it while Windows was still starting programs ^^

Win32/CCleaner.A - Object: C:\Program Files\CCleaner\CCleaner.exe
Win32/CCleaner.B - Object: Werkgeheugen = CCleaner.exe

Strangely enough that's the 64-Bit Program Files folder... even though they said only 32-Bit is affected.

Also ran a scan with Immunet to be sure, nothing else found, nor anything in the registery named Agomo.
 
Last edited:

rtwjunkie

PC Gaming Enthusiast
Supporter
Joined
Jul 25, 2008
Messages
14,019 (2.34/day)
Location
Louisiana
Processor Core i9-9900k
Motherboard ASRock Z390 Phantom Gaming 6
Cooling All air: 2x140mm Fractal exhaust; 3x 140mm Cougar Intake; Enermax ETS-T50 Black CPU cooler
Memory 32GB (2x16) Mushkin Redline DDR-4 3200
Video Card(s) ASUS RTX 4070 Ti Super OC 16GB
Storage 1x 1TB MX500 (OS); 2x 6TB WD Black; 1x 2TB MX500; 1x 1TB BX500 SSD; 1x 6TB WD Blue storage (eSATA)
Display(s) Infievo 27" 165Hz @ 2560 x 1440
Case Fractal Design Define R4 Black -windowed
Audio Device(s) Soundblaster Z
Power Supply Seasonic Focus GX-1000 Gold
Mouse Coolermaster Sentinel III (large palm grip!)
Keyboard Logitech G610 Orion mechanical (Cherry Brown switches)
Software Windows 10 Pro 64-bit (Start10 & Fences 3.0 installed)
My NOD32 alerted me this morning, and removed it while Windows was still starting programs ^^

Win32/CCleaner.A - Object: C:\Program Files\CCleaner\CCleaner.exe
Win32/CCleaner.B - Object: Werkgeheugen = CCleaner.exe

Strangely enough that's the 64-Bit Program Files folder... even though they said only 32-Bit is affected.

Also ran a scan with Immunet to be sure, nothing else found, nor anything in the registery named Agomo.
The whole thing installs into the 64 bit Program Files folder. In there you should find both executable.
 
Joined
Aug 2, 2012
Messages
2,020 (0.45/day)
Location
Netherlands
System Name TheDeeGee's PC
Processor Intel Core i7-11700
Motherboard ASRock Z590 Steel Legend
Cooling Noctua NH-D15S
Memory Crucial Ballistix 3200/C16 32GB
Video Card(s) Nvidia RTX 4070 Ti 12GB
Storage Crucial P5 Plus 2TB / Crucial P3 Plus 2TB / Crucial P3 Plus 4TB
Display(s) EIZO CX240
Case Lian-Li O11 Dynamic Evo XL / Noctua NF-A12x25 fans
Audio Device(s) Creative Sound Blaster ZXR / AKG K601 Headphones
Power Supply Seasonic PRIME Fanless TX-700
Mouse Logitech G500S
Keyboard Keychron Q6
Software Windows 10 Pro 64-Bit
Benchmark Scores None, as long as my games runs smooth.
The whole thing installs into the 64 bit Program Files folder. In there you should find both executable.

Interesting.

That means the Auto Cleanup Feature on Startup uses the 32-Bit Exe...

That's why my NOD32 went off.
 

Mindweaver

Moderato®™
Staff member
Joined
Apr 16, 2009
Messages
8,301 (1.45/day)
Location
Charleston, SC
System Name Tower of Power / Delliverance
Processor i7 14700K / i9-14900K
Motherboard ASUS ROG Strix Z690-A Gaming WiFi D4 / Z690
Cooling CM MasterLiquid ML360 Mirror ARGB Close-Loop AIO / Air
Memory CORSAIR Vengeance LPX 32GB (2 x 16GB) DDR4 3600 / DDR5 2x 16gb
Video Card(s) ASUS TUF Gaming GeForce RTX 4070 Ti / GeForce RTX 4080
Storage 4x Samsung 980 Pro 1TB M.2, 2x Crucial 1TB SSD / NVM3 PC801 SK hynix 1TB
Display(s) Samsung 32" Odyssy G5 Gaming 144hz 1440p, 2x LG HDR 32" 60hz 4k / 2x LG HDR 32" 60hz 4k
Case Phantek "400A" / Dell XPS 8960
Audio Device(s) Realtek ALC4080 / Sound Blaster X1
Power Supply Corsair RM Series RM750 / 750w
Mouse Razer Deathadder V3 Hyperspeed Wireless / Glorious Gaming Model O 2 Wireless
Keyboard Glorious GMMK with box-white switches / Keychron K6 pro with blue swithes
VR HMD Quest 3 (512gb) + Rift S + HTC Vive + DK1
Software Windows 11 Pro x64 / Windows 11 Pro x64
Benchmark Scores Yes
Joined
May 13, 2010
Messages
6,082 (1.14/day)
System Name RemixedBeast-NX
Processor Intel Xeon E5-2690 @ 2.9Ghz (8C/16T)
Motherboard Dell Inc. 08HPGT (CPU 1)
Cooling Dell Standard
Memory 24GB ECC
Video Card(s) Gigabyte Nvidia RTX2060 6GB
Storage 2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s) Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case Dell Precision T3600 Chassis
Audio Device(s) Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply 630w Dell T3600 PSU
Mouse Logitech G700s/G502
Keyboard Logitech K740
Software Linux Mint 20
Benchmark Scores Network: APs: Cisco Meraki MR32, Ubiquiti Unifi AP-AC-LR and Lite Router/Sw:Meraki MX64 MS220-8P
I love the new Discover card alerts ad, they should alert everyone that Equifax is a dangerous website and has compromised their future credit due to hiring a music teacher/director for "diversity".

Best reply in here!
 
Joined
Jul 16, 2014
Messages
8,219 (2.16/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
that was regarding the multiple replies in this thread insulting the equifax security person having a music background, implying they cannot manage security
if the shoe fits! :rolleyes:
 

Frick

Fishfaced Nincompoop
Joined
Feb 27, 2006
Messages
19,671 (2.86/day)
Location
w
System Name Black MC in Tokyo
Processor Ryzen 5 7600
Motherboard MSI X670E Gaming Plus Wifi
Cooling Be Quiet! Pure Rock 2
Memory 2 x 16GB Corsair Vengeance @ 6000Mhz
Video Card(s) XFX 6950XT Speedster MERC 319
Storage Kingston KC3000 1TB | WD Black SN750 2TB |WD Blue 1TB x 2 | Toshiba P300 2TB | Seagate Expansion 8TB
Display(s) Samsung U32J590U 4K + BenQ GL2450HT 1080p
Case Fractal Design Define R4
Audio Device(s) Plantronics 5220, Nektar SE61 keyboard
Power Supply Corsair RM850x v3
Mouse Logitech G602
Keyboard Dell SK3205
Software Windows 10 Pro
Benchmark Scores Rimworld 4K ready!
Were you using the infected version? Format and reinstall.

The second stage appears to use a completely different control network. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks.

"When you look at this software package, it's very well developed," Williams told Ars. "This is someone who spent a lot of money with a lot of developers perfecting it. It's clear that whoever made this has used it before and is likely going to use it again."

Stage one of the malware collected a wide assortment of information from infected computers, including a list of all installed programs, all running processes, the operating-system version, hardware information, whether the user had administrative rights, and the hostname and domain name associated with the system. Combined, the information would allow attackers not only to further infect computers belonging to a small set of targeted organizations, but it would also ensure the later-stage payload is stable and undetectable.

Now that it's known the CCleaner backdoor actively installed a payload that went undetected for more than a month, Williams renewed his advice that people who installed the 32-bit version of CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191 reformat their hard drives. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy.

The second stage seems to be targeted at things like Cisco, MS, Gmail, VMWare, Akamai and Samsung, but still. This is getting interesting.
 
Top