Security researchers revealed that the CCleaner chain attack, which resulted in millions of users downloading a backdoored version of the CCleaner PC software utility, was linked to state-sponsored Chinese hackers.
The attack started in July with compromising a CCleaner server, which let attackers inject backdoor code in two versions of the tool – 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191. As a result, between August 15 – September 12, over 2.27 million PC users who downloaded the binaries got infected.
The investigation of the attack proved that the backdoored code was only the first stage of the intended user compromise, and the attackers have already delivered a second-stage payload to other selected targets.
When the backup of a deleted database containing information on the infected computers was found, the investigators discovered approximately 1,646,536 unique machines (based on MAC addresses) reported to the command and control (C&C) server. However, the stage 2 payload was served to only 40 of them.
During their investigation, the experts found some connections to a known group of Chinese hackers, however, no definite attribution was made.
According to Intezer researchers, the attack was state-sponsored and it could be linked to Chinese hackers who are part of the Axiom group.
Being referred to APT17 or DeputyDog, the Axiom group has been associated with Operation Aurora, which started in 2009 and targeted companies such as Yahoo, Google, Symantec, Adobe Systems, Rackspace, Juniper Networks, Dow Chemical, and Northrop Grumman.
Intezer claims that the analysis of the stage 2 payload used in the CCleaner attack provided a clear link to the Chinese hackers after the first payload revealed shared code with Axiom group.
While looking at the backdoor, the experts found the unique code implementation “only previously seen in APT17 and not in any public repository.”
Now the researchers reveal that the stage 2 payload contains code that is an exact match to APT17 malware seen before.
The analysis of the stage 2 payload also showed that one of the dropped modules is another backdoor designed to connect to a few domains. It would also connect to an IP to grab the next stage payload, which the researchers haven’t been able to identify until now.