The CCleaner hack that saw a backdoor inserted into the CCleaner binary and distributed to at least 2.27 million users was far from the work of a rogue employee. The attack was much more sophisticated and bears the hallmarks of a nation state actor. The number of users infected with the first stage malware may have been be high, but they were not being targeted. The real targets were technology firms and the goal was industrial espionage.

Avast, which acquired Piriform – the developer of Cleaner – in the summer, announced earlier this month that the CCleaner v5.33.6162 build released on August 15 was used as a distribution vehicle for a backdoor. Avast’s analysis suggested this was a multi-stage malware, capable of installing a second-stage payload; however, Avast did not believe the second-stage payload ever executed.

Swift action was taken following the discovery of the CCleaner hack to take down the attacker’s server and a new malware-free version of CCleaner was released. Avast said in a blog post that simply updating to the new version of CCleaner – v5.35 – would be sufficient to remove the backdoor, and that while this appeared to be a multi-stage malware

Further analysis of the CCleaner hack has revealed that was not the case, at least for some users of CCleaner. The second stage malware did execute in some cases.

The second payload differed depending on the operating system of the compromised system. Avast said, “On Windows 7+, the binary is dumped to a file called “C:\Windows\system32\lTSMSISrv.dll” and automatic loading of the library is ensured by autorunning the NT service “SessionEnv” (the RDP service). On XP, the binary is saved as “C:\Windows\system32\spool\prtprocs\w32x86\localspl.dll” and the code uses the “Spooler” service to load.”

Avast determined the malware was an Advanced Persistent Threat that would only deliver the second-stage payload to specific users. Avast was able to determine that 20 machines spread across 8 organizations had the second stage malware delivered, although since logs were only collected for a little over 3 days, the actual total infected with the second stage was undoubtedly higher. Avast estimates the number of devices infected was likely “in the hundreds”.

Avast has since issued an update saying, “At the time the server was taken down, the attack was targeting select large technology and telecommunication companies in Japan, Taiwan, UK, Germany.”

The majority of devices infected with the first backdoor were consumers, since CCleaner is a consumer-oriented product; however, consumers are believed to be of no interest to the attackers and that the CCleaner hack was a watering hole attack. The aim was to gain access to computers used by employees of tech firms. Some of the firms targeted in this CCleaner hack include Google, Microsoft, Samsung, Sony, Intel, HTC, Linksys, D-Link, and Cisco.

The second stage of the attack delivered keylogging and data collection malware. Kaspersky and FireEye researchers have connected the attack to the hacking group APT 17, noting similarities in the infrastructure with the nation state actor. It was APT 17 that was behind the Operation Aurora attack which similarly targeted tech companies in 2009. Cisco Talos researchers noted that one of the configuration files was set to a Chinese time zone, further suggesting this was the work of a nation-state hacking group based in China.

While Avast previously said upgrading to the latest version would be sufficient to remove the backdoor, it would not remove the second-stage malware. Data could still be exfiltrated to the attackers C2 server, which was still active. Avast is currently working with the targeted companies and is providing assistance.

Cisco Talos criticized Avast’s stance on the attack, explaining in a recent blog post, “it’s imperative to take these attacks seriously and not to downplay their severity,” also suggesting users should “restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system.”