Wie untersucht Internet-Security-Spezialisten von Benkow Unternehmen, under the guise of legitimate G-Cleaner utility that is used for cleaning of disk space in Windows environment, wird Malware-Installer geteilt.Website that offers fake application, wurde Ende März entdeckt, jedoch, es ist immer noch aktuell verfügbar.
Criminal Plattform sieht als Ressource üblichen Entwickler und enthält Beschreibung des Tools, license agreement and other information.
Program creators argue that it designed for removal of temporary files, damaged links and stories of browser’s cleaning.
“Even when you download and run the program, it looks like countless other homemade PC cleaners and states it will scan your computer for junk files and remove them”, — report Benkow researchers.
Dennoch, after installation on computer, G-Cleaner downloads in %Temp% folder a series of executing objects that are components of AZORult Trojan.
Malware elements create in memory of targeted system a couple of processes and establish connection with command server. Under its command, Trojan tries coping users’ passwords, cryptocurrency wallets data, cookie files and other confidential information. Collected data is packed in Encrypted.zip archive and is send to command center. After job is finished, AZORult deletes its copy from the disk and tries to eliminate other traces of its activity on computer.
Criminal community actively uses Trojan’s code though it leaked to the Internet in the middle of the last year.
In darkweb developed special service that allows generating executive AZORult modules in automatic mode. Intruder have only to indicate address of his command server that will be implemented in malware distributive.
Most often for spreading of data thieves use spam mailing, exploit-packs and other Trojans’ opportunities. jedoch, sometimes cybercriminals invent unusual methods of payload delivery.
“Users should research a site before downloading and installing a program to determine if they have a good reputation and can be trusted. Even then, it is always suggested that you upload the program to a site like VirusTotal to confirm if it’s safe to run”, — advised by information security experts