Jay Rosenberg, a senior researcher at Intezer, said in a blog post yesterday that based on an analysis of both the first and second stage payloads of the CCleaner malware, and code from the Axiom group, an entity linked to China, he had concluded that there was a very strong possibility that both were from the same source.
The claim of a Chinese link was first made by Avast, the owner of CCleaner, last month, and subsequently withdrawn. Avast became the owner of CCleaner when it acquired Piriform, the British company that owned the software.
Listed were Cisco, Intel, Microsoft, HTC, Samsung, VMware,Akamai, Sony, Singtel, D-Link, O2, Vodafone, German gaming and gambling company Gauselmann, Linksys, Gmail, MSI, Dynamic Network Services and Epson.
Rosenberg said the code in the CCleaner malware had been compared against all the code samples in Intezer's database.
"...out of all the billions and billions of pieces of code (both trusted and malicious) contained in the Intezer Code Genome Database, we found this code in only these APTs (advanced persistent threats)," he wrote.
It was also worth noting that both sets of code were not using a standard method one would use to call an API, he added.
"The attacker used the simple technique of employing an array to hide a string from being in clear sight of those analysing the binary (although to those who are more experienced, it is obvious) and remain undetected from antivirus signatures," Rosenberg said.
"The author probably copied and pasted the code, which is what often happens to avoid duplication: rewriting the same code for the same functionality twice. Due to the uniqueness of the shared code, we strongly concluded that the code was written by the same attacker."
He concluded that the complexity and quality of the CCleaner attack "has led our team to conclude that it was most likely state-sponsored. Considering this new evidence, the malware can be attributed to the Axiom group due to both the nature of the attack itself and the specific code re-use throughout that our technology was able to uncover".
Avast has made no further comment about the compromise after its last blog post on 25 September.