Avast: CCleaner malware similar to China's APT17 attacks

Evidence suggests the hackers confused South Korea with Slovakia

binary on a screen with words 'hacking attack'

Avast has said that the recent malware attack using its CCleaner application shares similarities with the tools used by the group known as APT17, a Chinese hacking collective responsible for attacks against Microsoft in 2015.

"Following the take-down of the CnC (command and control) server and getting access to its data, the Avast Security Threat Labs team has been working around the clock to investigate the source and other details of the recent Piriform CCleaner attack," the company said in a blog post.

The parent company behind the popular PC optimising tool said that identifying exactly who was behind the attack remains almost impossible, but that some of the codes used in the hack were almost identical to those found in the APT17/Aurora malware.

Chinese hacking group APT17, known for its attacks against defence agencies, US government departments and technology companies, were able to exploit Microsoft's TechNet website in 2015 to host user comments that were in fact addresses for infected computers to connect to.

In the case of the CCleaner attack, the majority of the connections in the attack originated from Japanese networks, although it is likely that these were infected addresses and simply acted as a proxy to hide the real source. However, it is thought that the hackers had knowledge of Asian networks, and that although many companies in that region were targeted, China was suspiciously unaffected, according to Avast.

The attack is thought to have affected 2.27 million users, although the real targets are thought to have been large companies, such as Cisco, Samsung, VMware and Google. Originally thought to have affected 20 companies, Avast has since found two more targets that have yet to be publicly identified.

As is frequently the case with malware of this kind, the attack appears to have been fairly unsophisticated. Recovery efforts by the Avast team and law enforcement agencies initially pointed to just four days worth of data collection, suggesting that hoards had been deleted in an effort to avoid being traced.

In reality, the MariaDB database that was used to house the collected data simply ran out of disk space, and Avast spotted numerous desperate attempts by the hackers to clear room. Unfortunately, this has made it difficult to create a full picture of how many were affected by the hack.

The hackers were also a little confused over company domain names. According to data: "The attackers seem to have made a mistake with the domain name of one company specified as "

The researchers also identified a kill switch in the CCleaner malware code, similar to the one found in the WannaCry malware, however, further analysis revealed that it was far less effective at halting the attack.

"Our investigation and hunt for the perpetrators continues," said Avast, in a blog post on Friday. "In the meantime, we advise users who downloaded the affected version to upgrade to the latest version of CCleaner and perform a scan of their computer with a good security software, to ensure no other threats are lurking on their PC."

It added that any company identified as being infected has been notified, however if there are any others that feel they have encountered the malware they should contact Avast through its legal department.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Leading the data race

The trends driving the future of data science

Download now

How to create 1:1 customer experiences at scale

Meet the technology capable of delivering the personalisation your customers crave

Download now

How to achieve daily SAP releases

Accelerate the pace of SAP change to support your digital strategy

Download now

Recommended

Third-party apps are tracking your WhatsApp activity
social media

Third-party apps are tracking your WhatsApp activity

21 Sep 2020
Ransomwiz lets you test your security with simulated ransomware
ransomware

Ransomwiz lets you test your security with simulated ransomware

21 Sep 2020
Best free malware removal tools 2020
Security

Best free malware removal tools 2020

21 Sep 2020
Windows Server flaw sparks emergency US gov warning
vulnerability

Windows Server flaw sparks emergency US gov warning

21 Sep 2020

Most Popular

Google Pixel 4a review: A picture-perfect package
Google Android

Google Pixel 4a review: A picture-perfect package

18 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020