Floxif Trojan virus hit the world hard after hackers managed to secretly code CCleaner 5.33.6162 and CCleaner Cloud 1.07.3191 versions to distribute malware. Crooks had the opportunity of a lifetime and their malicious modifications to the legitimate security software (meant to serve 32-bit Windows operating systems) remained undetected for nearly a month. Approximately, hackers’ vicious program ended up being downloaded in 2.27M operating systems. There is a variety of Trojans that we have already investigated, like Ticno and Proteus. Read those articles if you need more details about such malware samples.
According to an ongoing investigation, Floxif virus was included into CCleaner by a group called Axiom. This means that crooks from China managed to target American companies once again, and this is definitely not the last time. Back in 2014, 43,000 computers of people from US had become victims of Axiom hackers (Axiom attack).
Tainted CCleaner versions distributed Floxif Trojan virus
Before beginning our article, we have to stress out that owners of CCleaner, Piriform Ltd, had nothing to do with the malicious activity that their product unknowingly initiated. This software was hacked and crooks managed to make modifications to the official installers. As soon as the software was downloaded, Floxif Trojan would begin collecting information and sending it to cybercriminals. CCleaner is nothing like rogue security applications like CyboScan PC Optimizer.
Piriform Ltd. issues an official statement in their blog and explained that their software had been illegally modified to infect their clients with malware (Official post of Piriform). Actually, security researchers from Cisco Talos were the ones to make this disturbing discovery while they were examining new tools for exploit detection. You could guess how surprised security researchers were to realize that the tainted version of CCleaner had been signed with a valid digital certificate and originated from the official program’s page (Cleaner: a vast number of machines at risk).
The malware mainly fed cybercriminals with technical information about devices: installed software, computer names, running processes, MAC addresses, and IDs that identify each computer. Even though it was presumed that this data-gathering was the only activity that Floxif malware completed, new revelations suggest a different scenario. As it appears, malware was indeed downloaded by the Trojan in approximately two dozen computers (Trojan delivered secondary payloads).
The hack took place on 15th of August, 2017, and until 12th of September, all of the users that downloaded CCleaner received an unsolicited bundle of a Floxif virus. This malware hid from users and ran in the background, quietly exploiting CPU resources to send information to hackers’ C&C servers. Trojan was presumed to contact 126.96.36.199 IP address. Besides supplying hackers with data, Floxif had the capacities to act as a downloader and retrieve additional malware from infected hosts.
As it appears, hackers had a very specific idea about which people were supposed to become victims of Floxif virus (Situation of Floxif Trojan is much worse than expected). While it did affect ordinary people, the attack was also meant to compromise famous companies like Gmail, Linksys, Epson, MSI, Oracle, Cisco and many others. Generally speaking, influential technology and telecommunication companies in Japan, Taiwan, United Kingdom, Germany and the United States of America were targeted.
However, the disturbing information does not end here. After some analysis, security researchers point out that the Axiom hackers managed to implant their malware into computer devices of respectable organizations like banking utilities and government institutions. All of the targeted companies are being informed about the situation and offered technical support.
Tips on avoiding malware infections
If you are one of the thousands of people that downloaded the tainted CCleaner version, it is important to quickly solve this issue. Currently, CCleaner has been updated to a safe version and users can replace the malicious one with a harmless version. The properly-functioning variant is 5.35.
Furthermore, you are always recommended to initiate security scans and learn whether operating systems are not facing malicious programs. Please hurry to take care of this complicated situation. Do not even think about assuming that using CCleaner is no longer worth it: software applications are hacked every day and this specific tool is worth a lot of positive words.
Automatic Malware removal tools