Poisoned CCleaner search results spread information-stealing malware

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Malware that steals your passwords, credit cards, and crypto wallets is being promoted through search results for a pirated copy of the CCleaner Pro Windows optimization program.

This new malware distribution campaign is dubbed “FakeCrack,” and was discovered by analysts at Avast, who report detecting an average of 10,000 infection attempts every day from its customer telemetry data. Most of these victims are based in France, Brazil, Indonesia, and India.

The malware distributed in this campaign is a powerful information stealer that can harvest personal data and cryptocurrency assets and route internet traffic through data-snatching proxies.

A Black Hat SEO campaign​

The threat actors follow Black Hat SEO techniques to rank their malware-distribution websites high in Google Search results so that more people will be tricked into downloading laced executables.
The lure seen by Avast is a cracked version of CCleaner Professional, a popular Windows system cleaner and performance optimizer that is still considered a “must-have” utility by many users.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
search results for a pirated copy 🤔
Very common old practice and also highly effective.

 

vuksha_xc60

Level 1
Jun 22, 2020
29
The lure seen by Avast is a cracked version of CCleaner Professional, a popular Windows system cleaner and performance optimizer that is still considered a “must-have” utility by many users.

I don't really know who on the Earth could claim that CCleaner is a must have utility these days after all the incidents related to it happened in the past.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Anyone who searches for a pirated Ccleaner deserves to get infected, maybe. I know all of these sites and submitted to quite a few vendors. But some, including Avast don't block most of the sites you see in the screenshots even at this moment. Most of these sites themselves don't contain malware, but IMO it's important to block them all to stop the main source. AVs that block almost all are ESET, Kaspersky, Malwarebytes, probably F-Secure :)unsure:)and maybe a few others.
 

ScandinavianFish

Level 7
Verified
Dec 12, 2021
317
Anyone who searches for a pirated Ccleaner deserves to get infected, maybe. I know all of these sites and submitted to quite a few vendors. But some, including Avast don't block most of the sites you see in the screenshots even at this moment. Most of these sites themselves don't contain malware, but IMO it's important to block them all to stop the main source. AVs that block almost all are ESET, Kaspersky, Malwarebytes, probably F-Secure :)unsure:)and maybe a few others.
Many of these sites are "legit", its just they contain "download here" ad buttons and site redirects that are the ones spreading malware, so in the eyes of AV vendors they sit in kinda of an grey zone and may or may not be completely blocked.
 

Kongo

Level 35
Verified
Top Poster
Well-known
Feb 25, 2017
2,481
Just found one of the "CCleaner Installers":

File size is above 600mb so that the antivirus and antimalware solution can't scan the executable file. Most AVs have a file size limit for scanning, so thats the attackers way to evade detection. It was even too big to upload to VirusTotal or Intenzer Analyze.

Screenshot 2022-06-09 003217.png


After checking out the file in HexEdit I saw that a big part of the executable just consists of data with no function, which is the reason why the file is so big.

Junk Data:
Screenshot 2022-06-09 003645.png

Actual malicious part:
Screenshot 2022-06-09 003924.png


After deleting the junk part, the file size was just a few KB and ready to upload to VirusTotal.
Screenshot 2022-06-09 004011.png


VirusTotal result:
Screenshot 2022-06-09 004119.png

So always be cautious with big exe-files from untrusted sources. ;)
 

robert-smith

Level 1
Mar 10, 2022
12
instead of spending time with the pirate software I prefer useing giveaway versions. they're %1000gb trustful and the lisences come from their own venders.
aditionally, I use cCleaner portable on my pc as well with my own personalised settings, that's actually enough for me. even if it promises to save the whole universe with the pro features I don't care. I already run it once per week, maybe a century.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top