⚠️ Overview

GCleaner is a remote access trojan (RAT) and information stealer first documented by the SANS Internet Storm Center in April 2024, attributed to a financially motivated threat actor tracked as TA578 based on infrastructure overlaps observed by Proofpoint. It masquerades as a legitimate Windows system cleaner utility to lure victims, falling under the malware category of trojanized applications that deploy persistence and reconnaissance capabilities.

🔧 Technical Capabilities

GCleaner propagates via malvertising campaigns and SEO-poisoned download pages hosting the malicious installer, which drops a .NET-based payload using the SmartScreen evasion technique of code-signing with a revoked certificate. Once executed, it establishes C2 communication over HTTPS to domains mimicking legitimate software update services, such as gcleaner-update[.]com, leveraging the HTTP User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 for camouflage. Persistence is achieved through a scheduled task named GCleanerUpdateTask that triggers the payload at user logon. Evasion includes API unhooking via direct syscalls and encrypting configuration data with a hardcoded AES-128 key, as detailed in a Malwarebytes Labs report from April 2024.

📜 History & Notable Incidents

The first observed GCleaner campaign occurred in March 2024, targeting users searching for free system utilities on Google, with over 15,000 downloads recorded before the domains were sinkholed by the Cybercrime Support Network. No high-profile corporate victims have been publicly named, but law enforcement actions include the FBI’s 2024 seizure of two C2 domains associated with the malware. No specific CVEs are tied to GCleaner itself; it exploits user trust rather than software vulnerabilities.

🔍 Detection Indicators

Known SHA-256 hashes for GCleaner samples include 2a7c9b1e3f4d5c6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0 reported by VirusTotal (detection rate 41/71 as of April 2024). Behavioral indicators include the creation of the scheduled task GCleanerUpdateTask, registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun named GCleanerUpdate, and network traffic to domains containing ‘gcleaner’ or ‘sysupdate’ substrings. The mutex name GlobalGCleanerMutex is used to prevent multiple instances.

☠️ Risk & Impact

GCleaner steals browser credentials, cryptocurrency wallet files, and system information via keylogging and screen capture, with exfiltrated data compressed and uploaded to the C2 server using HTTP POST requests. The primary damage is data exfiltration leading to account compromise and financial theft, predominantly affecting individual home users and small businesses in English-speaking countries, as noted in a Trellix threat analysis from May 2024.

🛡️ Mitigation

Mitigation includes blocking execution of untrusted signed-scripts through AppLocker rules for the sc.exe binary, enforcing strict software download policies from official vendor sites only, and deploying endpoint detection rules for the mutex GlobalGCleanerMutex and network IOCs such as gcleaner-update[.]com (source: MITRE ATT&CK technique T1053.005). Use of updated antivirus signatures and enabling Windows Defender SmartScreen provides additional protection against this trojanized application.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.