Floxif is a malware downloader that collects knowledge about infected orders and sends it back to its C&C server. The malware also had the capability to download and manage other binaries, but at the time of review, there is no indication that Floxif downloaded new second-stage payloads on infected hosts.
The malware collected data such as computer name, a list of connected software, a list of operating processes, MAC addresses for the first three network interfaces, and different IDs to identify each network in part. Researchers say that the malware only ran on 32-bit systems. The malware also quit performance if the user was not using an executive account.
Cisco Talos security researchers discovered the tainted CCleaner app last week while conducting a beta examination of a new exploit detection technology.
Researchers recognized a version of CCleaner 5.33 production calls to suspicious domains. While originally, this seemed like another case where a user downloaded a false, malicious CCleaner app, they later learned that the CCleaner installer was downloaded from the official website and was confirmed using a valid digital certificate.
Cisco Talos considers that a threat actor might have agreed Avast’s supply chain and used its digital certificate to restore the legitimate CCleaner v5.33 app on its website with one that also included the Floxif trojan.
It is unclear if this warning actor breached Avast’s operations without the company’s knowledge, or the wicked code was added by “an insider with a way to either the community or build environments inside the organization.”
Avast bought Piriform CCleaner’s new developer in July this year, a month before CCleaner 5.33 was published.
Piriform confirmed the incident in a blog post today. The organization said they found the malware in CCleaner version 5.33.6162 and CCleaner Cloud version 1.07.3191.
Take your time to comment on this article.