Avast: CCleaner malware similar to China's APT17 attacks

Evidence suggests the hackers confused South Korea with Slovakia

binary on a screen with words 'hacking attack'

Avast has said that the recent malware attack using its CCleaner application shares similarities with the tools used by the group known as APT17, a Chinese hacking collective responsible for attacks against Microsoft in 2015.

"Following the take-down of the CnC (command and control) server and getting access to its data, the Avast Security Threat Labs team has been working around the clock to investigate the source and other details of the recent Piriform CCleaner attack," the company said in a blog post.

Advertisement - Article continues below

The parent company behind the popular PC optimising tool said that identifying exactly who was behind the attack remains almost impossible, but that some of the codes used in the hack were almost identical to those found in the APT17/Aurora malware.

Chinese hacking group APT17, known for its attacks against defence agencies, US government departments and technology companies, were able to exploit Microsoft's TechNet website in 2015 to host user comments that were in fact addresses for infected computers to connect to.

In the case of the CCleaner attack, the majority of the connections in the attack originated from Japanese networks, although it is likely that these were infected addresses and simply acted as a proxy to hide the real source. However, it is thought that the hackers had knowledge of Asian networks, and that although many companies in that region were targeted, China was suspiciously unaffected, according to Avast.

Advertisement - Article continues below
Advertisement - Article continues below

The attack is thought to have affected 2.27 million users, although the real targets are thought to have been large companies, such as Cisco, Samsung, VMware and Google. Originally thought to have affected 20 companies, Avast has since found two more targets that have yet to be publicly identified.

As is frequently the case with malware of this kind, the attack appears to have been fairly unsophisticated. Recovery efforts by the Avast team and law enforcement agencies initially pointed to just four days worth of data collection, suggesting that hoards had been deleted in an effort to avoid being traced.

In reality, the MariaDB database that was used to house the collected data simply ran out of disk space, and Avast spotted numerous desperate attempts by the hackers to clear room. Unfortunately, this has made it difficult to create a full picture of how many were affected by the hack.

Advertisement - Article continues below

The hackers were also a little confused over company domain names. According to data: "The attackers seem to have made a mistake with the domain name of one company specified as "

The researchers also identified a kill switch in the CCleaner malware code, similar to the one found in the WannaCry malware, however, further analysis revealed that it was far less effective at halting the attack.

"Our investigation and hunt for the perpetrators continues," said Avast, in a blog post on Friday. "In the meantime, we advise users who downloaded the affected version to upgrade to the latest version of CCleaner and perform a scan of their computer with a good security software, to ensure no other threats are lurking on their PC."

It added that any company identified as being infected has been notified, however if there are any others that feel they have encountered the malware they should contact Avast through its legal department.



cyber security

Report: 16.5 million Britons fell victim to cyber crime in the past year

1 Apr 2020
Amazon Web Services (AWS)

AWS launches Amazon Detective for investigating security incidents

1 Apr 2020

UK government to launch coronavirus 'contact tracking' app

1 Apr 2020
video conferencing

Zoom admits meetings don't use end-to-end encryption

1 Apr 2020

Most Popular

cyber security

Elon Musk's SpaceX bans Zoom over security fears

2 Apr 2020
application programming interface (API)

Apple buys Dark Sky weather app and leaves Android users in the cold

1 Apr 2020
data management

Oracle cloud courses are free during coronavirus lockdown

31 Mar 2020