Piriform Hacked, CCleaner August Versions (v5.33.6162) Injected, Compromised

LogitechFan · Sep 19, 2017

Moreover, the current version that is distributed by Download.com (the link is on the piriform website as of this morning) is actually detected by Malwarebytes during the installation (tried it today). All I can say is - fucking insane! Will never use this POS again, and so should you.

TheDeeGee · Sep 19, 2017

My NOD32 alerted me this morning, and removed it while Windows was still starting programs ^^

Win32/CCleaner.A - Object: C:\Program Files\CCleaner\CCleaner.exe
Win32/CCleaner.B - Object: Werkgeheugen = CCleaner.exe

Strangely enough that's the 64-Bit Program Files folder... even though they said only 32-Bit is affected.

Also ran a scan with Immunet to be sure, nothing else found, nor anything in the registery named Agomo.

rtwjunkie · Sep 19, 2017

TheDeeGee said:
My NOD32 alerted me this morning, and removed it while Windows was still starting programs ^^

Win32/CCleaner.A - Object: C:\Program Files\CCleaner\CCleaner.exe
Win32/CCleaner.B - Object: Werkgeheugen = CCleaner.exe

Strangely enough that's the 64-Bit Program Files folder... even though they said only 32-Bit is affected.

Also ran a scan with Immunet to be sure, nothing else found, nor anything in the registery named Agomo.

The whole thing installs into the 64 bit Program Files folder. In there you should find both executable.

TheDeeGee · Sep 19, 2017

rtwjunkie said:
The whole thing installs into the 64 bit Program Files folder. In there you should find both executable.

Interesting.

That means the Auto Cleanup Feature on Startup uses the 32-Bit Exe...

That's why my NOD32 went off.

Mindweaver · Sep 19, 2017

Here is how you can check to see if you were infected.

remixedcat · Sep 19, 2017

Steevo said:
I love the new Discover card alerts ad, they should alert everyone that Equifax is a dangerous website and has compromised their future credit due to hiring a music teacher/director for "diversity".

Best reply in here!

kn00tcn · Sep 21, 2017

MrGenius said:

that was regarding the multiple replies in this thread insulting the equifax security person having a music background, implying they cannot manage security

DeathtoGnomes · Sep 21, 2017

kn00tcn said:
that was regarding the multiple replies in this thread insulting the equifax security person having a music background, implying they cannot manage security

if the shoe fits! :rolleyes:

Frick · Sep 22, 2017

Were you using the infected version? Format and reinstall.

The second stage appears to use a completely different control network. The complex code is heavily obfuscated and uses anti-debugging and anti-emulation tricks to conceal its inner workings. Craig Williams, a senior technology leader and global outreach manager at Talos, said the code contains a "fileless" third stage that's injected into computer memory without ever being written to disk, a feature that further makes analysis difficult. Researchers are in the process of reverse engineering the payload to understand precisely what it does on infected networks.

"When you look at this software package, it's very well developed," Williams told Ars. "This is someone who spent a lot of money with a lot of developers perfecting it. It's clear that whoever made this has used it before and is likely going to use it again."

Stage one of the malware collected a wide assortment of information from infected computers, including a list of all installed programs, all running processes, the operating-system version, hardware information, whether the user had administrative rights, and the hostname and domain name associated with the system. Combined, the information would allow attackers not only to further infect computers belonging to a small set of targeted organizations, but it would also ensure the later-stage payload is stable and undetectable.

Now that it's known the CCleaner backdoor actively installed a payload that went undetected for more than a month, Williams renewed his advice that people who installed the 32-bit version of CCleaner 5.33.6162 or CCleaner Cloud 1.07.3191 reformat their hard drives. He said simply removing the stage-one infection is insufficient given the proof now available that the second stage can survive and remain stealthy.

The second stage seems to be targeted at things like Cisco, MS, Gmail, VMWare, Akamai and Samsung, but still. This is getting interesting.

System Name	TheDeeGee's PC
Processor	Intel Core i7-11700
Motherboard	ASRock Z590 Steel Legend
Cooling	Noctua NH-D15S
Memory	Crucial Ballistix 3200/C16 32GB
Video Card(s)	Nvidia RTX 4070 Ti 12GB
Storage	Crucial P5 Plus 2TB / Crucial P3 Plus 2TB / Crucial P3 Plus 4TB
Display(s)	EIZO CX240
Case	Lian-Li O11 Dynamic Evo XL / Noctua NF-A12x25 fans
Audio Device(s)	Creative Sound Blaster ZXR / AKG K601 Headphones
Power Supply	Seasonic PRIME Fanless TX-700
Mouse	Logitech G500S
Keyboard	Keychron Q6
Software	Windows 10 Pro 64-Bit
Benchmark Scores	None, as long as my games runs smooth.

Processor	Core i9-9900k
Motherboard	ASRock Z390 Phantom Gaming 6
Cooling	All air: 2x140mm Fractal exhaust; 3x 140mm Cougar Intake; Enermax ETS-T50 Black CPU cooler
Memory	32GB (2x16) Mushkin Redline DDR-4 3200
Video Card(s)	ASUS RTX 4070 Ti Super OC 16GB
Storage	1x 1TB MX500 (OS); 2x 6TB WD Black; 1x 2TB MX500; 1x 1TB BX500 SSD; 1x 6TB WD Blue storage (eSATA)
Display(s)	Infievo 27" 165Hz @ 2560 x 1440
Case	Fractal Design Define R4 Black -windowed
Audio Device(s)	Soundblaster Z
Power Supply	Seasonic Focus GX-1000 Gold
Mouse	Coolermaster Sentinel III (large palm grip!)
Keyboard	Logitech G610 Orion mechanical (Cherry Brown switches)
Software	Windows 10 Pro 64-bit (Start10 & Fences 3.0 installed)

System Name	TheDeeGee's PC
Processor	Intel Core i7-11700
Motherboard	ASRock Z590 Steel Legend
Cooling	Noctua NH-D15S
Memory	Crucial Ballistix 3200/C16 32GB
Video Card(s)	Nvidia RTX 4070 Ti 12GB
Storage	Crucial P5 Plus 2TB / Crucial P3 Plus 2TB / Crucial P3 Plus 4TB
Display(s)	EIZO CX240
Case	Lian-Li O11 Dynamic Evo XL / Noctua NF-A12x25 fans
Audio Device(s)	Creative Sound Blaster ZXR / AKG K601 Headphones
Power Supply	Seasonic PRIME Fanless TX-700
Mouse	Logitech G500S
Keyboard	Keychron Q6
Software	Windows 10 Pro 64-Bit
Benchmark Scores	None, as long as my games runs smooth.

System Name	Tower of Power / Delliverance
Processor	i7 14700K / i9-14900K
Motherboard	ASUS ROG Strix Z790-A Gaming WiFi II / Z690
Cooling	CM MasterLiquid ML360 Mirror ARGB Close-Loop AIO / Air
Memory	CORSAIR - VENGEANCE RGB 32GB (2x16GB) DDR5 7200MHz / DDR5 2x 16gb
Video Card(s)	ASUS TUF Gaming GeForce RTX 4070 Ti / GeForce RTX 4080
Storage	4x Samsung 980 Pro 1TB M.2, 2x Crucial 1TB SSD / NVM3 PC801 SK hynix 1TB
Display(s)	Samsung 32" Odyssy G5 Gaming 144hz 1440p, 2x LG HDR 32" 60hz 4k / 2x LG HDR 32" 60hz 4k
Case	Phantek "400A" / Dell XPS 8960
Audio Device(s)	Realtek ALC4080 / Sound Blaster X1
Power Supply	Corsair RM Series RM750 / 750w
Mouse	Razer Deathadder V3 Hyperspeed Wireless / Glorious Gaming Model O 2 Wireless
Keyboard	Glorious GMMK with box-white switches / Keychron K6 pro with blue swithes
VR HMD	Quest 3 (512gb) + Rift S + HTC Vive + DK1
Software	Windows 11 Pro x64 / Windows 11 Pro x64
Benchmark Scores	Yes

System Name	RemixedBeast-NX
Processor	Intel Xeon E5-2690 @ 2.9Ghz (8C/16T)
Motherboard	Dell Inc. 08HPGT (CPU 1)
Cooling	Dell Standard
Memory	24GB ECC
Video Card(s)	Gigabyte Nvidia RTX2060 6GB
Storage	2TB Samsung 860 EVO SSD//2TB WD Black HDD
Display(s)	Samsung SyncMaster P2350 23in @ 1920x1080 + Dell E2013H 20 in @1600x900
Case	Dell Precision T3600 Chassis
Audio Device(s)	Beyerdynamic DT770 Pro 80 // Fiio E7 Amp/DAC
Power Supply	630w Dell T3600 PSU
Mouse	Logitech G700s/G502
Keyboard	Logitech K740
VR HMD	Linktr.ee/remixedcat // for my music ♡♡
Software	Linux Mint 20
Benchmark Scores	Network: Ubiquiti Unifi Cloud Gateway Ultra/Unifi Switch Ultra 60w/Unifi Switch 8 60w/UAP-AC-LR/LITE

Piriform Hacked, CCleaner August Versions (v5.33.6162) Injected, Compromised

LogitechFan

TheDeeGee

rtwjunkie

PC Gaming Enthusiast

TheDeeGee

Mindweaver

Moderato®™

remixedcat

kn00tcn

DeathtoGnomes

Frick

Fishfaced Nincompoop

System Name	Dumbass
Processor	AMD Ryzen 7800X3D
Motherboard	ASUS TUF gaming B650
Cooling	Artic Liquid Freezer 2 - 420mm
Memory	G.Skill Sniper 32gb DDR5 6000
Video Card(s)	GreenTeam 4070 ti super 16gb
Storage	Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s)	1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case	Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s)	onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply	Corsair HX1000i
Mouse	Steeseries Esports Wireless
Keyboard	Corsair K100
Software	windows 10 H
Benchmark Scores	https://i.imgur.com/aoz3vWY.jpg?2

System Name	Black MC in Tokyo
Processor	Ryzen 5 7600
Motherboard	MSI X670E Gaming Plus Wifi
Cooling	Be Quiet! Pure Rock 2
Memory	2 x 16GB Corsair Vengeance @ 6000Mhz
Video Card(s)	XFX 6950XT Speedster MERC 319
Storage	Kingston KC3000 1TB \| WD Black SN750 2TB \|WD Blue 1TB x 2 \| Toshiba P300 2TB \| Seagate Expansion 8TB
Display(s)	Samsung U32J590U 4K + BenQ GL2450HT 1080p
Case	Fractal Design Define R4
Audio Device(s)	AuraSound AS42 Soundbar \| Plantronics 5220 \| Sony WH-1000XM3 \| Nektar SE61 \| Behringer XR18
Power Supply	Corsair RM850x v3
Mouse	Logitech G602
Keyboard	Dell SK3205
Software	Windows 10 Pro
Benchmark Scores	Rimworld 4K ready!