Windows 10 News and info | Forum
November 21, 2019, Loading... *
Welcome, Guest. Please login or register.

Login with username, password and session length
News: This is a clean Ad-free Forum and protected by StopForumSpam, Project Honeypot, Botscout and AbuseIPDB | This forum does not use audio ads, popups, or other annoyances. New member registration currently disabled.
  Website   Home   Windows 8 Website GDPR Help Login Register  
By continuing to use the site or forum, you agree to the use of cookies, find out more by reading our GDPR policy.
Pages: [1]
Share this topic on Del.icio.usShare this topic on DiggShare this topic on FacebookShare this topic on GoogleShare this topic on MySpaceShare this topic on RedditShare this topic on StumbleUponShare this topic on TechnoratiShare this topic on TwitterShare this topic on YahooShare this topic on Google buzz
Author Topic: Fake Windows PC Cleaner Drops AZORult Info-Stealing Trojan  (Read 113 times)
Hero Member
Online Online

Gender: Male
United States United States

Posts: 30718

I Do Windows

WWW Email
« on: April 28, 2019, 01:23:24 AM »

Researchers have discovered a web site pushing a PC cleaner tool for Windows that in reality is just a front for the Azorult password and information-stealing Trojan.

AZORult is a trojan that when installed attempts to steal a user's browser passwords, FTP client passwords, cryptocurrency wallets, desktop files, and much more.

Instead of renting distribution methods such as spam, exploit kits, or being dropped by other trojans, the attackers decided to create a fake Windows utility and an accompanying web site to distribute the Trojan instead.

The G-Cleaner facade

G-Cleaner Web Site - lick to enlarge

According to the site, G-Cleaner or Garbage Cleaner is a Windows junk cleaner that removes temporary files, broken shortcuts, and unnecessary Registry entries. Overall, it's promoted like all the other system optimization tools that we see regularly being offered.

"G-Cleaner can clean unneeded files, settings, and Registry entries for web browsers and many installed applications on your system, as well as Windows features.

G-Cleaner is a small, effective utility for computers running Microsoft Windows that cleans out the 'junk' that accumulates over time: temporary files, broken shortcuts, and other problems. G-Cleaner protects your privacy. It cleans your browsing history and temporary internet files, allowing you to be a more confident Internet user and less susceptible to identity theft."

Even when you download and run the program, it looks like countless other homemade PC cleaners and states it will scan your computer for junk files and remove them.

Fake G-Cleaner PC Junk Cleaner - click to enlarge

Trojan dropped behind the scenes

When the G-Cleaner program is installed, it will download the main components of the fake PC cleaner and save them to the C:\ProgramData\Garbage Cleaner or C:\ProgramData\G-Cleaner folders depending on the version.

It will then extract a randomly named file to the %Temp% folder and execute it. This file is the malware component that will attempt to steal your computer's passwords, data, wallets, and other information.

While running it will communicate with a Command & Control server via the gate.php script as shown in the image below.  As it's last communication before it removes itself, it will upload a file called that contains the harvested data from a victims machine.

Network traffic from dropped file - click to enlarge

You can see the network communication by the malware component in this session.

Still active a month later

Even though this site and the malware that is being pushed is over one month old, the site is still up and running. Just yesterday, another researcher named JamesWT discovered it again and even a month later, few antivirus vendors were detecting it as malicious.

This site and the malware it distributes illustrates how important it is for users to not haphazardly download programs from the Internet.

Instead, users should research a site before downloading and installing a program to determine if they have a good reputation and can be trusted. Even then, it is always suggested that you upload the program to a site like VirusTotal to confirm if it's safe to run.

With that said, there will always be some confusion as legitimate programs, like my Rkill, can still have false positives. In situations like this, you will need to weigh all the factors such as site trustworthiness, reviews, and word of mouth to decide if you should run the program.


Pages: [1]
Jump to:  

Powered by SMF 1.1.21 | SMF © 2017, Simple Machines

Google visited last this page September 11, 2019, 08:15:28 AM