Malware, Network Security, Vulnerability Management

Avast narrows down probable location of CCleaner attacker

Avast continued to reveal further details surrounding the cyberattack that placed a backdoor in its free computer maintenance app, CCleaner. The company now believes the attack originated from a country located in the UTC + 4 or UTC + 5 time zones.

One week after news broke that a malicious version of CCleaner had been downloaded by an estimated 2.27 million people, Avast says it narrowed down the attackers' probable location to the two time zones – which encompass a huge swath of Europe, the Middle East, and Asia – based on the time and days of the week that the command and control server was accessed by its owners.

Avast also noted that the server was contacted by 1.6 million unique MAC addresses, all of which belong to 12 major conglomerates, with 40 of these computers receiving a second stage payload.

The biggest clue for Avast's research was the C2 server's administrator's daily work schedule. After examining 100 connections made to the server, Avast researchers could discern that, just like every other working person, the individual in charge of maintenance kept a steady routine, essentially working 9 to 5, Monday through Friday.

“In total, the operator connected to the server 83 times (plus 17 more times to the backup server), to do various things from installing and setting up the systems to monitoring it and resolving respective issues, such as to fix the crashed database. Which made us think that this was in fact someone's ‘day job.' The hypothesis was further supported by the fact that there were many fewer connections to the server on Saturdays, and almost no connections on Sundays,” Avast reported.

Plotting the schedule showed the person's activity mirrored that of many IT workers. The workday started around 9 a.m., with four or five hours of work being recorded, followed by a break and additional time spent on the job in the evening.

“Given the typical working day starts at 8 a.m. or 9 a.m., this leads us to the most likely location of the attacker in the time zone UTC + 4 or UTC + 5, leading us to Russia or the eastern part of Middle East/Central Asia and India. Furthermore, given the clear lack of traffic on Saturdays and Sundays, it would indicate that it wasn't an Arabic country,” Avast said.

These two time zones encompass a huge swath of Europe, the Middle East, and Asia, including Russia, Pakistan, China, India and other nations that are hotbeds of cybercriminal activity. As further evidence that this could be the region, Avast pointed out that none of the 12 companies that own the 40 computers that received the secondary payload isheadquartered in any of the countries in these time zones.

The companies involved are:, NEC, Samsung, ASUS, Fujitsu, Sony America, Infoview2u, a UK telco, Gauselmann, Singtel, Intel, and VMWare.

“We have reached out to all these companies, with the aim of providing them with detailed information about the incident, list of impacted computers, and additional IOCs that can be used to detect the infection and take corrective actions,” Avast said.

The second stage payload that was installed on these computers could have been used to execute malicious code.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.