Avast: CCleaner malware similar to China's APT17 attacks

Evidence suggests the hackers confused South Korea with Slovakia

binary on a screen with words 'hacking attack'

Avast has said that the recent malware attack using its CCleaner application shares similarities with the tools used by the group known as APT17, a Chinese hacking collective responsible for attacks against Microsoft in 2015.

"Following the take-down of the CnC (command and control) server and getting access to its data, the Avast Security Threat Labs team has been working around the clock to investigate the source and other details of the recent Piriform CCleaner attack," the company said in a blog post.

The parent company behind the popular PC optimising tool said that identifying exactly who was behind the attack remains almost impossible, but that some of the codes used in the hack were almost identical to those found in the APT17/Aurora malware.

Chinese hacking group APT17, known for its attacks against defence agencies, US government departments and technology companies, were able to exploit Microsoft's TechNet website in 2015 to host user comments that were in fact addresses for infected computers to connect to.

In the case of the CCleaner attack, the majority of the connections in the attack originated from Japanese networks, although it is likely that these were infected addresses and simply acted as a proxy to hide the real source. However, it is thought that the hackers had knowledge of Asian networks, and that although many companies in that region were targeted, China was suspiciously unaffected, according to Avast.

The attack is thought to have affected 2.27 million users, although the real targets are thought to have been large companies, such as Cisco, Samsung, VMware and Google. Originally thought to have affected 20 companies, Avast has since found two more targets that have yet to be publicly identified.

As is frequently the case with malware of this kind, the attack appears to have been fairly unsophisticated. Recovery efforts by the Avast team and law enforcement agencies initially pointed to just four days worth of data collection, suggesting that hoards had been deleted in an effort to avoid being traced.

In reality, the MariaDB database that was used to house the collected data simply ran out of disk space, and Avast spotted numerous desperate attempts by the hackers to clear room. Unfortunately, this has made it difficult to create a full picture of how many were affected by the hack.

The hackers were also a little confused over company domain names. According to data: "The attackers seem to have made a mistake with the domain name of one company specified as "

The researchers also identified a kill switch in the CCleaner malware code, similar to the one found in the WannaCry malware, however, further analysis revealed that it was far less effective at halting the attack.

"Our investigation and hunt for the perpetrators continues," said Avast, in a blog post on Friday. "In the meantime, we advise users who downloaded the affected version to upgrade to the latest version of CCleaner and perform a scan of their computer with a good security software, to ensure no other threats are lurking on their PC."

It added that any company identified as being infected has been notified, however if there are any others that feel they have encountered the malware they should contact Avast through its legal department.

Featured Resources

BCDR buyer's guide for MSPs

How to choose a business continuity and disaster recovery solution

Download now

The definitive guide to IT security

Protecting your MSP and your customers

Download now

Cost of a data breach report 2020

Find out what factors help mitigate breach costs

Download now

The complete guide to changing your phone system provider

Optimise your phone system for better business results

Download now

Recommended

HackBoss malware is using Telegram to steal cryptocurrency from other hackers
cryptocurrencies

HackBoss malware is using Telegram to steal cryptocurrency from other hackers

16 Apr 2021
Google’s about to push everyone into two-factor authentication
Security

Google’s about to push everyone into two-factor authentication

6 May 2021
Defense Dept. expands vulnerability disclosure program to all publicly accessible defense systems
ethical hacking

Defense Dept. expands vulnerability disclosure program to all publicly accessible defense systems

5 May 2021
Security researchers take control of a Tesla via drone
ethical hacking

Security researchers take control of a Tesla via drone

5 May 2021

Most Popular

KPMG offers staff 'four-day fortnight' in hybrid work plans
flexible working

KPMG offers staff 'four-day fortnight' in hybrid work plans

6 May 2021
Dell patches vulnerability affecting hundreds of computer models worldwide
cyber security

Dell patches vulnerability affecting hundreds of computer models worldwide

5 May 2021
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

29 Apr 2021