Avast: CCleaner malware similar to China's APT17 attacks

Evidence suggests the hackers confused South Korea with Slovakia

binary on a screen with words 'hacking attack'

Avast has said that the recent malware attack using its CCleaner application shares similarities with the tools used by the group known as APT17, a Chinese hacking collective responsible for attacks against Microsoft in 2015.

"Following the take-down of the CnC (command and control) server and getting access to its data, the Avast Security Threat Labs team has been working around the clock to investigate the source and other details of the recent Piriform CCleaner attack," the company said in a blog post.

The parent company behind the popular PC optimising tool said that identifying exactly who was behind the attack remains almost impossible, but that some of the codes used in the hack were almost identical to those found in the APT17/Aurora malware.

Chinese hacking group APT17, known for its attacks against defence agencies, US government departments and technology companies, were able to exploit Microsoft's TechNet website in 2015 to host user comments that were in fact addresses for infected computers to connect to.

In the case of the CCleaner attack, the majority of the connections in the attack originated from Japanese networks, although it is likely that these were infected addresses and simply acted as a proxy to hide the real source. However, it is thought that the hackers had knowledge of Asian networks, and that although many companies in that region were targeted, China was suspiciously unaffected, according to Avast.

Advertisement - Article continues below
Advertisement - Article continues below

The attack is thought to have affected 2.27 million users, although the real targets are thought to have been large companies, such as Cisco, Samsung, VMware and Google. Originally thought to have affected 20 companies, Avast has since found two more targets that have yet to be publicly identified.

As is frequently the case with malware of this kind, the attack appears to have been fairly unsophisticated. Recovery efforts by the Avast team and law enforcement agencies initially pointed to just four days worth of data collection, suggesting that hoards had been deleted in an effort to avoid being traced.

In reality, the MariaDB database that was used to house the collected data simply ran out of disk space, and Avast spotted numerous desperate attempts by the hackers to clear room. Unfortunately, this has made it difficult to create a full picture of how many were affected by the hack.

The hackers were also a little confused over company domain names. According to data: "The attackers seem to have made a mistake with the domain name of one company specified as "

The researchers also identified a kill switch in the CCleaner malware code, similar to the one found in the WannaCry malware, however, further analysis revealed that it was far less effective at halting the attack.

Advertisement - Article continues below

"Our investigation and hunt for the perpetrators continues," said Avast, in a blog post on Friday. "In the meantime, we advise users who downloaded the affected version to upgrade to the latest version of CCleaner and perform a scan of their computer with a good security software, to ensure no other threats are lurking on their PC."

It added that any company identified as being infected has been notified, however if there are any others that feel they have encountered the malware they should contact Avast through its legal department.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now



Hackers abuse LinkedIn DMs to plant malware

25 Feb 2019

Best free malware removal tools 2019

23 Dec 2019
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020