<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1678611822423757&amp;ev=PageView&amp;noscript=1">

CCleaner Supply Chain Attack Exposes Millions of Windows Users

Greg Mooney| September 18 2017

| security


There is a growing trend in the hacker community of compromising the update process of programs we deem safe. The latest example is a supply chain attack on CCleaner.

Every day there is another reason to reformat and flash the BIOS on your PCs and devices. The most notorious attack that used a seemingly secure update to infect machines around the world was of course the NotPetya ransomware outbreak that took place a few months ago. This type of attack, called a Supply Chain attack, is on the rise.


Windows users using Piriform’s CCleaner may have been exposed by malware over the past month. CCleaner is a free tool (there is a paid version as well) that allows users to quickly analyze their systems for ways to free up storage and cleanup Windows registry files. With over two billion downloads, Avast who bought CCLeaner back in July has stated that over a million people could be impacted by this rogue server that was dishing out the malware.

Breakdown Of CCleaner Hack

From Piriform’s blog there is a statement about the attack. Below is a technical description:

An unauthorized modification of the CCleaner.exe binary resulted in an insertion of a two-stage backdoor capable of running code received from a remote IP address on affected systems.

The suspicious code was hidden in the application’s initialization code called CRT (Common Runtime) that is normally inserted during compilation by the compiler. This code modification was executed by the following function calls (functions marked by red represent the CRT modifications):


The attack stores info in Windows registry key HKLM\SOFTWARE\Piriform\Agomo. In addition, the malware was collecting the following information:

  • Name of the computer
  • List of installed software, including Windows updates
  • List of running processes
  • MAC addresses of first three network adapters
  • Additional information whether the process is running with administrator privileges, whether it is a 64-bit system, etc.

This type of information is important to understand the intent of this attack. By knowing the above information, an attacker can potentially learn about all vulnerabilities in any given system. There is no proof yet that the attackers got any sensitive data on individuals, but they have given themselves the ability to specifically target people in the future. The information obtained allows the attacker to find other backdoors into a machine even after CCleaner is uninstalled and the malware is removed.

Related: NotPetya - Is It For The Money Or The Infrastructure?

Who is Impacted?

If you installed a CCleaner update between August 15th and September 12th and running the 32-bit version, you should at least consider reinstalling Windows. For peace of mind, flashing your BIOS and changing your passwords to all your sensitive accounts using a non-Windows based machine should be a cautionary step. As history has shown, what we don’t know always hurts us, so it’s better to be safe than sorry.  

As of right now, Piriform and Avast are not concluding who is behind this attack, but they have taken down the rogue server and have released a new u0pdate. This won’t remove the malware, so if you want to continue using CCleaner, you should install the latest version after wiping your computer.

Supply Chain Attacks Are A Growing Trend

If anything, this attack emphasizes that no part of the information security process is safe. Think about it. Cyber security experts try instilling in us that you must always keep your software and OS up to date, but now hackers are targeting that very process of patching our systems.

That doesn’t mean stop with timely updates; that would only expose your data further. These Supply Chain attacks are just warnings of how we need to get good at damage control and have an action plan in place for when our systems are compromised.

Topics: security

Leave a Reply

Your email address will not be published. Required fields are marked *


Greg is a technologist and data geek with over 10 years in tech. He has worked in a variety of industries as an IT manager and software tester. Greg is an avid writer on everything IT related, from cyber security to troubleshooting.

Free Trials

Getting started has never been easier. Download a trial today.

Download Free Trials

Contact Us

Let us know how we can help you. Focus on what matters. 

Send us a note

Subscribe to our Blog

Let’s stay in touch! Register to receive our blog updates.