ALERT, CCLEANER 5.33 IS COMPROMISED.

We at Ultra Scary have been alerted to a breach in a very popular computer utility.

It appears that criminals have breached and hid malware in CCleaner version 5.33 and Cloud version 1.07.3191 that could be used to remotely spy and control computers.  The Software was  available for download from  Aug 15th 2017 to Sept 13 2017.

The malware appears to modify CBkrdr.dll and CCBkrdr_GetShellcodeFromC2AndCall to hide within the CCleaner program.

The malware will ping 224.0.0.0, a multicast address, and waits for 601 seconds.

The malware will terminate if the user is not an admin (This is another reason why NOT to run your normal operating user as an administrative user).  If the user is an admin, the malware will connect to the Command and Control server and download new and updated code.

Any computer that has been installed with the compromised versions of CCleaner are recommended to be considered compromised and to be re-formatted and reprovisioned.

-Gj-

IT Experts,

here are indicators to monitor that your network is infected:

DGA DOMAINS

ab6d54340c1a[.]com
aba9a949bc1d[.]com
ab2da3d400c20[.]com
ab3520430c23[.]com
ab1c403220c27[.]com
ab1abad1d0c2a[.]com
ab8cee60c2d[.]com
ab1145b758c30[.]com
ab890e964c34[.]com
ab3d685a0c37[.]com
ab70a139cc3a[.]com

IP ADDRESSES

216[.]126[.]225[.]148