{
	"id": "839f7db5-e139-4086-9853-9ba391ae4b10",
	"created_at": "2026-04-06T00:18:28.50108Z",
	"updated_at": "2026-04-10T03:20:27.373228Z",
	"deleted_at": null,
	"sha1_hash": "53edf2561b653e5d1575c7bcdd36cf3a136714b9",
	"title": "Progress on CCleaner Investigation",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 39847,
	"plain_text": "Progress on CCleaner Investigation\r\nBy Vince Steckler \u0026 Ondrej Vlcek 21 Sep 2017\r\nArchived: 2026-04-05 15:06:07 UTC\r\nLarge technology and telecommunications companies were targeted\r\nFollowing the take-down of the CnC server and getting access to its data, the Avast Security Threat Labs team has\r\nbeen working around the clock to investigate the source and other details of the recent Piriform CCleaner attack.\r\nTo recap, the attack affected a total of 2.27M computers between August 15, 2017 and September 15, 2017 and\r\nused the popular PC cleaning software CCleaner version 5.33.6162 as a distribution vehicle. Today, we would like\r\nto report on the progress so far.\r\nFirst of all, analysis of the data from the CnC server has proven that this was an APT (Advanced Persistent Threat)\r\nprogrammed to deliver the 2nd stage payload to select users. Specifically, the server logs indicated 20 machines in\r\na total of 8 organizations to which the 2nd stage payload was sent, but given that the logs were only collected for\r\nlittle over three days, the actual number of computers that received the 2nd stage payload was likely at least in the\r\norder of hundreds. This is a change from our previous statement, in which we said that to the best of our\r\nknowledge, the 2nd stage payload never delivered.\r\nAt the time the server was taken down, the attack was targeting select large technology and telecommunication\r\ncompanies in Japan, Taiwan, UK, Germany and the US. Given that CCleaner is a consumer-oriented product, this\r\nwas a typical watering hole attack where the vast majority of users were uninteresting for the attacker, but select\r\nones were. For privacy reasons, we’re not disclosing the list of targeted companies publicly; instead, we have been\r\nreaching out individually to those companies who we know have been impacted, and providing them with\r\nadditional technical information to assist them.\r\nThe 2nd stage payload is a relatively complex piece of code that uses two components (DLLs). The first\r\ncomponent contains the main business logic. As with the first payload, it is heavily obfuscated and uses a number\r\nof anti-debugging and anti-emulation tricks. Much of the logic is related to the finding of, and connecting to, yet\r\nanother CnC server, whose address can be determined using three different mechanisms: 1) an account on GitHub,\r\n2) an account on Wordpress, and 3) a DNS record of a domain get.adxxxxxx.net (name modified here).\r\nSubsequently, the address of the CnC server can also be arbitrarily modified in the future by sending a special\r\ncommand, recognized by the code as a signal to use the DNS protocol (udp/53) to get the address of the new\r\nserver. Together with law enforcement, we’re continuing the analysis by getting access to the data from these\r\nadditional CnC servers and tracing further to the attacker.\r\nThe second part of the payload is responsible for persistence. Here, a different mechanism is used on Windows 7+\r\nthan on Windows XP. On Windows 7+, the binary is dumped to a file called\r\n“C:\\Windows\\system32\\lTSMSISrv.dll” and automatic loading of the library is ensured by autorunning the NT\r\nservice “SessionEnv” (the RDP service). On XP, the binary is saved as\r\n\"C:\\Windows\\system32\\spool\\prtprocs\\w32x86\\localspl.dll” and the code uses the “Spooler” service to load.\r\nhttps://blog.avast.com/progress-on-ccleaner-investigation\r\nPage 1 of 2\n\nStructurally, the DLLs are quite interesting because they piggyback on other vendors’ code by injecting the\r\nmalicious functionality into legitimate DLLs. The 32-bit code is activated through a patched version of\r\nVirtCDRDrv32.dll (part of Corel’s WinZip package), while the 64-bit uses EFACli64.dll – part of a Symantec\r\nproduct. Most of the malicious code is delivered from registry (the binary code is saved directly in registry in keys\r\n“HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\WbemPerf\\00[1-4]”). Again,\r\nall of these techniques demonstrate the attacker’s high level of sophistication.\r\nIn parallel to the technical analysis, we have continued working with law enforcement units to trace back the\r\nsource of the attack. We are committed to getting to the bottom of who is behind this attack. While providing\r\nroutine periodic updates, our energies are focused on catching the perpetrators. Our approach is to do all of this in\r\nthe background, to increase our chances of identifying the perpetrator.  We believe nothing is served by being too\r\nnoisy, e.g. stating who was targeted and/or compromised and it is up to the target to choose when to disclose.\r\nFinally, it is extremely important to us to resolve the issue on customer machines. For consumers, we stand by the\r\nrecommendation to upgrade CCleaner to the latest version (now 5.35, after we have revoked the signing certificate\r\nused to sign the impacted version 5.33) and use a quality antivirus product, such as Avast Antivirus. For corporate\r\nusers, the decision may be different and will likely depend on corporate IT policies. At this stage, we cannot state\r\nthat the corporate machines could not be compromised, even though the attack was highly targeted.\r\nWe will provide additional updates as we progress.\r\nVince Steckler, CEO\r\nOndrej Vlcek, CTO and EVP Consumer Business\r\nSource: https://blog.avast.com/progress-on-ccleaner-investigation\r\nhttps://blog.avast.com/progress-on-ccleaner-investigation\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://blog.avast.com/progress-on-ccleaner-investigation"
	],
	"report_names": [
		"progress-on-ccleaner-investigation"
	],
	"threat_actors": [],
	"ts_created_at": 1775434708,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/53edf2561b653e5d1575c7bcdd36cf3a136714b9.pdf",
		"text": "https://archive.orkl.eu/53edf2561b653e5d1575c7bcdd36cf3a136714b9.txt",
		"img": "https://archive.orkl.eu/53edf2561b653e5d1575c7bcdd36cf3a136714b9.jpg"
	}
}