Researchers have discovered a web site pushing a PC cleaner tool for Windows that in reality is just a front for the Azorult password and information stealing Trojan.
AZORult is a trojan that when installed attempts to steal a user's browser passwords, FTP client passwords, cryptocurrency wallets, desktop files, and much more.
Instead of renting distribution methods such as spam, exploit kits, or being dropped by other trojans, the attackers decided to create a fake Windows utility and an accompanying web site to distribute the trojan instead.
The G-Cleaner facade
Last month, security research Benkow discovered a website named gcleaner[ ]info that was advertising a Windows junk cleaner tool called G-Cleaner or Garbage Cleaner. The site, which is still up as of this writing, is well made and looks like any other legitimate site promoting a program that they created.
G-Cleaner Web Site
Trojan dropped behind the scenes
When the G-Cleaner program is installed, it will download the main components of the fake PC cleaner and save them to the C:\ProgramData\Garbage Cleaner or C:\ProgramData\G-Cleaner folders depending on the version.
It will then extract a random named file to the %Temp% folder and execute it. This file is the malware component that will attempt to steal your computer's passwords, data, wallets, and other information.
While running it will communicate with a Command & Control server via the gate.php script as shown in the image below.. As it's last communication before it removes itself, it will upload a file called Encrypted.zip that contains the harvested data from a victims machine
Network traffic from dropped file