CCleaner Installer Distributes Malware CC-1645

During the installation of CCleaner version 5.33 the binary code included a malicious payload that featured a Domain Generation Algorithm (DGA), a subroutine that provides malware with new domains on demand, and a hardcoded C2 functionality.

One sample of CCleaner 5.33 was signed with a valid certificate that was issued to Piriform Ltd by Symantec and is valid through 10/10/2018. An additional sample showed that it was also signed with a valid certificate but the signing timestamp was approximately 15 minutes after the initial sample was signed.

The 32-bit CCleaner 5.33 binary included modified code that redirected code execution flow within the CCleaner binary to malicious code prior to continuing with the normal CCleaner operations. The code is responsible for decrypting data which contains the two stages of the malicious payload, a PIC (Position Independent Code) PE loader as well as a DLL (Dynamic link library) file that effectively functions as the malware payload.