CCleaner: Malicious Injection Overrides Antivirus

September 28, 2017

Author: Benjamin Baughman

CCleaner, a popular antivirus tool, was compromised when a malicious hack (injection) was written to override the antivirus software.


ccleaner-hack-malicious-injection-antivirusCCleaner, a popular tool dubbed by its creator as: “the number-one tool for cleaning your PC,” was recently discovered to contain­ a command & control module that enabled a malicious actor to collect an infected user’s data. The infected software has since been removed. This article aims to analyze how it happened and how to check your system.

It is believed to have been a supply chain hack; the original version was replaced on the servers. Having signed certificates may be indicative of a malicious insider or a compromised development environment (was a portion of the development lab hacked either intentionally or unintentionally?).

Floxif is the Trojan that was used to create the backdoor. It changes legitimate files into infected files. These Trojans can be difficult to detect and often lack noticeable indications that your system has been secretly been taken over. Most scanners can detect the floxif Trojan, but if it’s attached to a permissive download, then it has effectively overridden most antivirus software.

The malware was installed via a DLL injection (dynamic link library), which sends traffic to a specified IP address. DLL injection essentially passes code into a running program. Typically, this type of modification is well monitored and will sound the alarm with nearly every consumer antivirus software available. However, being that this had a signed certificate, it flew under the radar. The .dll file then sends information to a command and control (C2) server, which then waits for the next command. C2 is what allows hackers continuous control of a compromised system.

A DGA (domain generation Algorithm) was hard-coded into the 32-bit version that provided command and control functionality. DGAs are often employed to generate a list of domain names that serve as rendezvous points for various types of malware, APTs, and botnets. DGAs usually incorporate public-key cryptography which make them difficult to track.

The exploit itself is fairly sophisticated and will require careful analysis to be fully understood.  The .dll attached itself to a process (hConnect), allocated itself memory and inserted a process called:


From here, it executed the proxy DLL code:


Understanding how to migrate code between core processes is a critically needed skill for an exploit to be successful. This can allow a malicious actor to bypass whitelists or elevate privileges (by installing a key logger to steal credentials). Done correctly, a malicious actor can also inherit active application sessions and therefore bypass two-factor authentication. Defense in depth is needed to mitigate these types of well-thought-out and sophisticated attacks.

If you’re concerned that your system is infected (either from this exploit or some other), then you’ll need to view your running processes in task manager (PC) or your Activity monitor (mac) to try to determine where the malicious process is. You can use to scan your system processes or consider restoring your system(s) to a known good backup/snap shot. In the case of the CCleaner, it was only programmed to function in 32 bit Windows machines where the user had admin privileges.

Malicious actors continuously are becoming more sophisticated in their attack methods. Once a system has been compromised, it can be difficult to thoroughly clean. Most times, it’s easier to restore the system from a backup or a snap shot. Having commercial endpoint security software like that from Morphisec or Talos (both of which detected the CCleaner hack) is needed if you expect to keep your identity and your data secure.

Sources used: