CCleaner compromise: keylogger may have been present

Piriform makes CCleaner, a popular application that allows Windows users to perform routine maintenance on their systems. CCleaner was compromised and used to spread malware last year.

The news that CCleaner had been compromised broke on 17 September 2017 through a detailed report from Cisco's Talos Intelligence Group.

The same group published a second analysis, detailing a number of companies that it said were targeted by the malware within CCleaner. Listed were Cisco, Intel, Microsoft, HTC, Samsung, VMware,Akamai, Sony, Singtel, D-Link, O2, Vodafone, German gaming and gambling company Gauselmann, Linksys, Gmail, MSI, Dynamic Network Services and Epson.

{loadposition sam08}Avast chief executive Vince Steckler and chief technology officer Ondřej Vlček published a blog post on 18 September, providing details of the incident. They then put up a second post on 20 September, after the second Talos post was published.

In its latest update, issued on Thursday, Avast said in order to complete its investigation, it had migrated all the Piriform infrastructure to its own set-up.

In the course of this process, it found that ShadowPad had been installed on the four Piriform PCs on 12 April 2017. The installation of ShadowPad was presumed to have been done by the second stage downloader of the malware that was used to compromise CCleaner.

"By installing a tool like ShadowPad, the cyber criminals were able to fully control the system remotely while collecting credentials and insights into the operations on the targeted computer," the Avast post said.

"Besides the keylogger tool, other tools were installed on the four computers, including a password stealer, and tools with the capacity to install further software and plugins on the targeted computer remotely."

The Avast post said that the investigation into the CCleaner compromised was continuing and it would issue further updates as needed.