The real motive of Floxif virus delivered with CCleaner v5.33
A couple of days ago, IT experts have made an astonishing discovery – CCleaner 5.33 version was delivering malware. Luckily, the deviation in usual behavior of eliminating malware was noticed by Cisco Talos experts.
Though the malware capabilities of spying on users data and data collection have been identified in the beginning, it seems that the initial target was a much bigger prey. In case you have not updated the software from 5.33 to 5.34 version, do it now.
Analysis unraveled intriguing details
The main culprit – Floxif malware – counterfeited the digital certificate of the application which granted it the label of a legitimate version. Thus, even cautious users failed to sense anything suspicious as the corrupted version included the name of the official, Piriform, publisher. What is more, the malware managed to postpone its activity for 601 seconds which again contributed to the evasion of detection.
While more than 2 million ordinary users were said to have downloaded the backdoor, the developers took on a bigger challenge. After the discovery of the malware, its second payload was launched by the perpetrators.
While the initial version attacked only 32-bit systems, the improved version attempted to assault 64-bit OS as well. Depending on the OS, the malware dropped TSMSISrv.dll or EFACli64.dll. Further analysis of Cisco Talos reveals the main targets of the virus. Here are some of them:
Interestingly, the technical specifications of the malware contain some elements which refer to the Peoples’ Republic of China time zone. However, such assumptions still need more evidence., Talos Cisco specialists also reviewed the findings of Kaspersky Lab specialists who suggested that the malware code resembled the ones created by Group 72 hacker group.
New approach on cyber security
After the corrupted version has been identified, CCleaner owners removed the virus from the download service. Users are urged to update to 5.34 version.
Nonetheless, taking into account this elaborate malware distribution network, it is advised to scan the system in Safe Mode for backdoors and other possibly downloaded malware or even restore the system image from backups. Lastly, regarding the new trend to assault WordPress, Joomla, JBoss Servers, companies need to take the cyber security much more seriously.