Poisoned CCleaner search results spread information-stealing malware

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,519
Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program.

This new malware distribution campaign is dubbed “FakeCrack,” and was discovered by analysts at Avast, who report detecting an average of 10,000 infection attempts every day from its customer telemetry data. Most of these victims are based in France, Brazil, Indonesia, and India.

The malware distributed in this campaign is a powerful information stealer that can harvest personal data and cryptocurrency assets and route internet traffic through data-snatching proxies.

A Black Hat SEO campaign​

The threat actors follow Black Hat SEO techniques to rank their malware-distribution websites high in Google Search results so that more people will be tricked into downloading laced executables.
The lure seen by Avast is a cracked version of CCleaner Professional, a popular Windows system cleaner and performance optimizer that is still considered a “must-have” utility by many users.
 

upnorth

Moderator
Verified
Staff member
Malware Hunter
Well-known
Jul 27, 2015
4,974
search results for a pirated copy 🤔
Very common old practice and also highly effective.

 

vuksha_xc60

Level 1
Jun 22, 2020
26
The lure seen by Avast is a cracked version of CCleaner Professional, a popular Windows system cleaner and performance optimizer that is still considered a “must-have” utility by many users.

I don't really know who on the Earth could claim that CCleaner is a must have utility these days after all the incidents related to it happened in the past.
 

SeriousHoax

Level 43
Verified
Top poster
Well-known
Mar 16, 2019
3,236
Anyone who searches for a pirated Ccleaner deserves to get infected, maybe. I know all of these sites and submitted to quite a few vendors. But some, including Avast don't block most of the sites you see in the screenshots even at this moment. Most of these sites themselves don't contain malware, but IMO it's important to block them all to stop the main source. AVs that block almost all are ESET, Kaspersky, Malwarebytes, probably F-Secure :)unsure:)and maybe a few others.
 
Dec 12, 2021
206
Anyone who searches for a pirated Ccleaner deserves to get infected, maybe. I know all of these sites and submitted to quite a few vendors. But some, including Avast don't block most of the sites you see in the screenshots even at this moment. Most of these sites themselves don't contain malware, but IMO it's important to block them all to stop the main source. AVs that block almost all are ESET, Kaspersky, Malwarebytes, probably F-Secure :)unsure:)and maybe a few others.
Many of these sites are "legit", its just they contain "download here" ad buttons and site redirects that are the ones spreading malware, so in the eyes of AV vendors they sit in kinda of an grey zone and may or may not be completely blocked.
 

SeriousHoax

Level 43
Verified
Top poster
Well-known
Mar 16, 2019
3,236
Many of these sites are "legit", its just they contain "download here" ad buttons and site redirects that are the ones spreading malware, so in the eyes of AV vendors they sit in kinda of an grey zone and may or may not be completely blocked.
As I said, "IMO it's important to block them all to stop the main source."
 

SecureKongo

Level 29
Verified
Top poster
Well-known
Feb 25, 2017
1,849
Just found one of the "CCleaner Installers":

File size is above 600mb so that the antivirus and antimalware solution can't scan the executable file. Most AVs have a file size limit for scanning, so thats the attackers way to evade detection. It was even too big to upload to VirusTotal or Intenzer Analyze.

Screenshot 2022-06-09 003217.png


After checking out the file in HexEdit I saw that a big part of the executable just consists of data with no function, which is the reason why the file is so big.

Junk Data:
Screenshot 2022-06-09 003645.png

Actual malicious part:
Screenshot 2022-06-09 003924.png


After deleting the junk part, the file size was just a few KB and ready to upload to VirusTotal.
Screenshot 2022-06-09 004011.png


VirusTotal result:
Screenshot 2022-06-09 004119.png

So always be cautious with big exe-files from untrusted sources. ;)
 

robert-smith

Level 1
Mar 10, 2022
14
instead of spending time with the pirate software I prefer useing giveaway versions. they're %1000gb trustful and the lisences come from their own venders.
aditionally, I use cCleaner portable on my pc as well with my own personalised settings, that's actually enough for me. even if it promises to save the whole universe with the pro features I don't care. I already run it once per week, maybe a century.