Avast: CCleaner malware similar to China's APT17 attacks

Evidence suggests the hackers confused South Korea with Slovakia

binary on a screen with words 'hacking attack'

Avast has said that the recent malware attack using its CCleaner application shares similarities with the tools used by the group known as APT17, a Chinese hacking collective responsible for attacks against Microsoft in 2015.

"Following the take-down of the CnC (command and control) server and getting access to its data, the Avast Security Threat Labs team has been working around the clock to investigate the source and other details of the recent Piriform CCleaner attack," the company said in a blog post.

Advertisement - Article continues below

The parent company behind the popular PC optimising tool said that identifying exactly who was behind the attack remains almost impossible, but that some of the codes used in the hack were almost identical to those found in the APT17/Aurora malware.

Chinese hacking group APT17, known for its attacks against defence agencies, US government departments and technology companies, were able to exploit Microsoft's TechNet website in 2015 to host user comments that were in fact addresses for infected computers to connect to.

In the case of the CCleaner attack, the majority of the connections in the attack originated from Japanese networks, although it is likely that these were infected addresses and simply acted as a proxy to hide the real source. However, it is thought that the hackers had knowledge of Asian networks, and that although many companies in that region were targeted, China was suspiciously unaffected, according to Avast.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

The attack is thought to have affected 2.27 million users, although the real targets are thought to have been large companies, such as Cisco, Samsung, VMware and Google. Originally thought to have affected 20 companies, Avast has since found two more targets that have yet to be publicly identified.

As is frequently the case with malware of this kind, the attack appears to have been fairly unsophisticated. Recovery efforts by the Avast team and law enforcement agencies initially pointed to just four days worth of data collection, suggesting that hoards had been deleted in an effort to avoid being traced.

In reality, the MariaDB database that was used to house the collected data simply ran out of disk space, and Avast spotted numerous desperate attempts by the hackers to clear room. Unfortunately, this has made it difficult to create a full picture of how many were affected by the hack.

Advertisement - Article continues below

The hackers were also a little confused over company domain names. According to data: "The attackers seem to have made a mistake with the domain name of one company specified as "

The researchers also identified a kill switch in the CCleaner malware code, similar to the one found in the WannaCry malware, however, further analysis revealed that it was far less effective at halting the attack.

"Our investigation and hunt for the perpetrators continues," said Avast, in a blog post on Friday. "In the meantime, we advise users who downloaded the affected version to upgrade to the latest version of CCleaner and perform a scan of their computer with a good security software, to ensure no other threats are lurking on their PC."

It added that any company identified as being infected has been notified, however if there are any others that feel they have encountered the malware they should contact Avast through its legal department.

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now
Advertisement
Advertisement

Recommended

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020

Most Popular

Visit/mobile/google-android/356373/over-2-dozen-additional-android-apps-found-stealing-user-data
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020
Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/cloud/356260/the-road-to-recovery
Sponsored

The road to recovery

30 Jun 2020