Further analysis of the hacked version of system utility CCleaner shows that it was targeting well-known tech companies, deepening the scandal of security vendor Avast missing malware in its midst.
Earlier this week, it transpired that Avast had unwittingly distributed the trojanised CCleaner utility to an estimated 2.27 million users, a number that was later revised down to 700,000.
At the time, Avast believed the second-stage loader in the malware was inactive and would not attempt to fetch an additional payload, but this turned out to be incorrect.
Analysis of the control and command server used by the malware showed that hundreds of computers selectively received the second-stage payload, Avast now says.
Cisco's Talos security researchers found a list of 23 tech companies on the C&C server, including itself, Microsoft, Samsung, Intel, VMware, Sony, Linksys, Vodafone, Google and Singapore telco Singtel.
The list of high-profile tech companies "would suggest a very focused actor after valuable intellectual property," Talos said.
Avast now considers the malware an advanced persistent threat (APT) and the incident a so-called watering hole attack, in which large numbers of users are infected to reach a select few victims.
The second-stage payload contains sophisticated espionage malware for 32 and 64-bit versions of Microsoft's Windows operating system, Talos and Avast said.
While Avast still advises users to remove the infected version of CCleaner and replace it with a fresh variant, Talos disagreed and said the malware was made by a sophisticated actor and required additional precautions.
"These findings also support and reinforce our previous recommendation that those impacted by this supply chain attack should not simply remove the affected version of CCleaner or update to the latest version, but should restore from backups or reimage systems to ensure that they completely remove not only the backdoored version of CCleaner but also any other malware that may be resident on the system," Talos said.
Security vendor Kaspersky also weighed in on the Avast CCleaner debacle, and discovered there is significant code overlap in the malware, and tools used by threat actors known as APT17, Axiom and Group 72.
APT17 targeted journalists as well as environmental and pro-democracy groups, as well as Fortune 500 companies in a cyber espionage campaign two years ago, a joint security industry effort led by vendor Novetta found.
Novetta said it had "moderate to high confidence that the organisation-tasking Axium is part of the Chinese intelligence apparatus."
The United States Federal Investigation Bureau also believed APT17/Axiom was affilated with the Chinese government, Novetta said.