We at Ultra Scary have been alerted to a breach in a very popular computer utility.
It appears that criminals have breached and hid malware in CCleaner version 5.33 and Cloud version 1.07.3191 that could be used to remotely spy and control computers. The Software was available for download from Aug 15th 2017 to Sept 13 2017.
The malware appears to modify CBkrdr.dll and CCBkrdr_GetShellcodeFromC2AndCall to hide within the CCleaner program.
The malware will ping 220.127.116.11, a multicast address, and waits for 601 seconds.
The malware will terminate if the user is not an admin (This is another reason why NOT to run your normal operating user as an administrative user). If the user is an admin, the malware will connect to the Command and Control server and download new and updated code.
Any computer that has been installed with the compromised versions of CCleaner are recommended to be considered compromised and to be re-formatted and reprovisioned.
here are indicators to monitor that your network is infected: