Supply Chain Attackscritical

CCleaner Backdoor: 2.27 Million Downloads Infected via Legitimate Software Update

Attackers compromised Piriform's build environment and inserted a backdoor into CCleaner 5.33 — a legitimate, signed Windows optimisation tool downloaded 2.27 million times before discovery. The payload targeted 18 major tech companies.

Piriform / Avast / 18 Tech Companies·2017·2 min read

Background

CCleaner was one of the most trusted Windows utility applications with hundreds of millions of users. Piriform, its developer, was acquired by Avast in July 2017. The attack began before the acquisition and was discovered in September 2017 — meaning a trusted, antivirus-owned tool was distributing malware.

The Attack

Attackers compromised Piriform's build server and modified the CCleaner source code to include a multi-stage backdoor before the software was compiled and signed with a legitimate Piriform code-signing certificate. The modified CCleaner 5.33 was distributed through official channels from August 15 to September 12, 2017. The backdoor collected system information and sent it to a command-and-control server. A second-stage payload was delivered only to machines at 18 specific technology companies: Intel, Google, Cisco, Microsoft, Samsung, Sony, VMware, HTC, Epson, and others — suggesting the primary goal was corporate espionage, not mass exploitation.

Response

Cisco Talos researchers discovered the backdoor by analysing network traffic to the C2 server. Avast immediately pushed an update to remove the backdoor and worked with law enforcement. The C2 server was taken down. Avast published detailed technical analysis. The second-stage payload was only found on 40 machines at the target companies.

Outcome

The surgical targeting of only 18 specific tech companies suggests nation-state espionage. Attackers used the 2.27 million installations as cover — most users received only the phone-home first stage. The signing of the malicious binary with a legitimate certificate bypassed all signature-based security controls.

Key Takeaways

  1. Code signing certificates provide false assurance when the signing process itself is compromised
  2. Build environments are extremely high-value targets — treat them with the same security as production systems
  3. Even trusted, widely used tools can be compromised — monitor for unexpected outbound network connections from all software
  4. Staged payloads delivered only to specific high-value targets can persist undetected in mass distributions

How to Prevent This

All guides
advanced

Treat your build environment as production — harden it with the same controls

The CCleaner backdoor, the 3CX supply chain attack, and the ASUS ShadowHammer operation all shared the same root cause: attackers compromised the build server or developer machine that compiled the final software. The build environment is where your trusted code signing happens, where clean source becomes signed binaries. Harden build servers: restrict access to the minimum set of people, use ephemeral build environments that are destroyed after each build, require MFA for all access, enable audit logging, and isolate build networks from general corporate networks. A compromise of your build environment is a compromise of every piece of software you ship.

See: CCleaner BackdoorSupply Chain Security
CCleanerbuild server compromisecode signingnation-statesecond-stage payload

More in Supply Chain Attacks

2020critical

SolarWinds Supply Chain Attack

2 min readSupply Chain Attacks
2018high

EventStream npm: Malicious Code Buried in Dependency Targets Bitcoin Wallet

2 min readSupply Chain Attacks
2019critical

ASUS Live Update ShadowHammer: 1 Million PCs Receive Backdoored Official Updates

2 min readSupply Chain Attacks