Windows News and info 15th Anniversary 2009-2024
Windows 11 | Windows 10 Modifying => Patch Tuesday| Updates | Security | Privacy | Anti-virus => Topic started by: javajolt on April 28, 2019, 01:23:24 AM
-
Researchers have discovered a web site pushing a PC cleaner tool for Windows that in reality is just a front for the Azorult password and information-stealing Trojan.
AZORult is a trojan that when installed attempts to steal a user's browser passwords, FTP client passwords, cryptocurrency wallets, desktop files, and much more.
Instead of renting distribution methods such as spam, exploit kits, or being dropped by other trojans, the attackers decided to create a fake Windows utility and an accompanying web site to distribute the Trojan instead.
The G-Cleaner facade
(http://i.postimg.cc/D0Q0BLM2/website.png) (http://i.postimg.cc/wBP1v6Nd/website.png)
G-Cleaner Web Site - lick to enlarge
According to the site, G-Cleaner or Garbage Cleaner is a Windows junk cleaner that removes temporary files, broken shortcuts, and unnecessary Registry entries. Overall, it's promoted like all the other system optimization tools that we see regularly being offered.
"G-Cleaner can clean unneeded files, settings, and Registry entries for web browsers and many installed applications on your system, as well as Windows features.
G-Cleaner is a small, effective utility for computers running Microsoft Windows that cleans out the 'junk' that accumulates over time: temporary files, broken shortcuts, and other problems. G-Cleaner protects your privacy. It cleans your browsing history and temporary internet files, allowing you to be a more confident Internet user and less susceptible to identity theft."
Even when you download and run the program, it looks like countless other homemade PC cleaners and states it will scan your computer for junk files and remove them.
(http://i.postimg.cc/bJxqh8Hg/g-cleaner.png) (http://i.postimg.cc/HspkTJNy/g-cleaner.png)
Fake G-Cleaner PC Junk Cleaner - click to enlarge
Trojan dropped behind the scenes
When the G-Cleaner program is installed, it will download the main components of the fake PC cleaner and save them to the C:\ProgramData\Garbage Cleaner or C:\ProgramData\G-Cleaner folders depending on the version.
It will then extract a randomly named file to the %Temp% folder and execute it. This file is the malware component that will attempt to steal your computer's passwords, data, wallets, and other information.
While running it will communicate with a Command & Control server via the gate.php script as shown in the image below. As it's last communication before it removes itself, it will upload a file called Encrypted.zip that contains the harvested data from a victims machine.
(http://i.postimg.cc/0Q8Bzs1c/fiddler-traffic.png) (http://i.postimg.cc/VkCTTgFB/fiddler-traffic.png)
Network traffic from dropped file - click to enlarge
You can see the network communication by the malware component in this Any.run session (http://app.any.run/tasks/e2dec634-b6c1-4183-a421-fdd09e5db5ff).
Still active a month later
Even though this site and the malware that is being pushed is over one month old, the site is still up and running. Just yesterday, another researcher named JamesWT discovered it again and even a month later, few antivirus vendors were detecting it as malicious.
(http://i.postimg.cc/52s3sFhq/1.png)
This site and the malware it distributes illustrates how important it is for users to not haphazardly download programs from the Internet.
Instead, users should research a site before downloading and installing a program to determine if they have a good reputation and can be trusted. Even then, it is always suggested that you upload the program to a site like VirusTotal to confirm if it's safe to run.
With that said, there will always be some confusion as legitimate programs, like my Rkill, can still have false positives. In situations like this, you will need to weigh all the factors such as site trustworthiness, reviews, and word of mouth to decide if you should run the program.
source (http://www.bleepingcomputer.com/news/security/fake-windows-pc-cleaner-drops-azorult-info-stealing-trojan/)