CCBkdr refers to the backdoor injected into a signed and valid version of CCleaner and distributed from legitimate CCleaner's distribution website. [1] [2]

The backdoor which was delivered to 2.27 million CCleaner customers worldwide was designed to collect information from CCleaner users and download a second and third stage malware to around 40 targets, making it a highly targeted attack. The third stage malware is reported to be the infamous ShadowPad backdoor that also hit NetSarang in a Supply Chain Compromise.

The [Initial Access[( seems to be an infected end point of CCleaner developer. According to Avast investigation, the threat actors accessed Piriform’s network in March 2017 before Avast acquired the company, using login credentials to a TeamViewer account on a developer workstation.(Citation: Avast CCleaner)

Security researchers attributed this attack to the APT group APT17, also tracked as Axiom.[3][2]

Techniques Used

Domain ID Name Use
Enterprise VT0004 .002 Supply Chain Compromise: Compromise Software Supply Chain

CCBkdr was added to a legitimate, signed version 5.33 of the CCleaner software and distributed on CCleaner's distribution site.[1][2][4]

Threat actors That Use This Tools

ID Name References
VG0010 APT17

APT17 is suspected to be the APT group inserted the CCBkdr backdoor to CCleaner and distributed it to over 2 million CCleaner users.




Created: 05 May 2021

Last Modified: 05 May 2021