Fake Windows cleaner utility G-Cleaner delivers AZORult trojan
- G-Cleaner, a fake Windows PC cleaner tool also known as Garbage Cleaner, delivers the AZORult info-stealer malware onto victims’ computer.
- In order to avoid falling prey to such malware attacks, users should monitor a site and look for reviews before downloading and installing a program.
What is the issue - G-Cleaner, a fake Windows PC cleaner tool also known as Garbage Cleaner, delivers the AZORult info-stealer malware onto victims’ computer.
What is G-Cleaner - Garbage Cleaner is promoted as a Windows cleaner utility that removes temporary files, broken shortcuts, and unnecessary Registry entries from Windows PC.
The big picture
A security researcher named ‘Benkow’ uncovered a website named gcleaner[.]info that was promoting the Windows cleaner tool G-Cleaner.
- This G-Cleaner tool when installed downloads the main components of the fake Windows cleaner and save it to either C:\ProgramData\Garbage Cleaner or C:\ProgramData\G-Cleaner folder depending on the version.
- The Windows cleaner tool then extracts a malicious file (AZORult) to the %Temp% folder and executes it.
- Once executed, AZORult attempts to steal passwords, data, wallets, and other information.
- The malware then creates a zip archive and stores all the stolen data to the archive.
- Before removing itself, it uploads the Encrypted.zip file that contains the stolen data to its C&C server.
Another security researcher named JamesWT detected the fake PC Cleaner again and noted that the site is still up.
Worth noting - Attackers are now creating fake Windows utility and an accompanying website to deliver malware, instead of relying on traditional distribution methods such as phishing emails, exploit kits, and other malware downloaders.
The bottom line - In order to avoid falling prey to such malware attacks, users should monitor a site and look for reviews before downloading and installing a program. It is also suggested that you upload the program to a site like VirusTotal to ensure its authenticity.