GCleaner — Garbage Provider Since 2019

Benoit ANCEL
CSIS TechBlog
Published in
6 min readJan 18, 2021

Reselling access to infected machines (aka “loads reselling”) has become a huge part of the cybercrime industry. In this article we investigate an active threat actor, who has been in the loads industry for over two years, reselling access to hundreds of thousands of machines every month.

When botnet operators want to start their business, they have to face different challenges. They have to buy (or build) a piece of malware and a backend, rent different servers, pay for cryptors, certificates etc — but in the end, one very important point is how to distribute the malicious software.

They can distribute the malware themselves (which is a lot of work) or pay a third-party, so called “load resellers”. Spammers, exploit kit distributors, Pay-Per-Install (PPI) vendors — all of them are just load resellers. You don’t buy a number of spam campaigns from a spammer, you buy a number of infections — no matter how they are obtained.

As profitable as the loads business might be, it’s also a complex industry facing lots of changes that requires a strong adaptive capacity in order to survive. Selling loads is not only about how many people you can infect; it’s also what quality of infections you can provide to your clients.

Loads sellers also have to protect their customers. When they distribute a payload they have to avoid ending up analyzed by sandboxes, or talked about in social media. Otherwise the malware IOCs would be burned and their clients would have to buy new domains or certificates in order to stay outside blacklists, such as Spamhaus.

When a cybercrime operation tries to steal money from a bank, the operators need victims who are accessing their online banking accounts. That means you can forget about distributing a fake Roblox crack, but instead need to find a way to infect accounting services and such.

Spam is of course one of the main ways to sell loads, you can craft a specific mailing lists targeting only companies or specific sectors in order to obtain good quality bots, but banking trojan admins are sometimes very picky and will only pay the spammer if an infected bot reaches the webinjects CNC. It’s not an easy job.

When you’re good at spamming you can make good money: We observed good spamming actors earning up to 60 000 USD a week when they work well, but as strange as it seems, spamming starts being more and more complicated and lots of spammers lose their clients to other kinds of loads resellers.

We observed spammers complaining about different factors, the first one being that from their estimations, up to 40% of the emails sent to the victims are opened on mobile devices. They cannot infect easily a tablet or a smartphone and that means that half of the work they do goes directly in the trash. 2020 didn’t helped them either, the medical crisis sending everybody home and various companies closing down caused a huge loss in term of spam ratio.

Having done this long introduction about the state of loads selling business, we are going to introduce you to an actor that is becoming very powerful.

It is a load seller working mainly for ransomware and password stealers actors for at least two years and who is starting to reach huge monthly infections numbers.

Garbage cleaner — Selling garbage since 2019

In the beginning of 2019 we observed a new actor becoming a client of the Fast Flux network called Brazzzers. This client was using the fast flux to host a website called G-Cleaner for Garbage Cleaner, mimicking cleaning tools like CCleaner.

g-cleaner[.]info

Back then the admin was promoting the fake software via emails in order to have his cleaning tool downloaded, which was in fact dropping the Azorult password stealer.

Quickly we observed the website implementing a Traffic Direction System (TDS) using IPLogger in order to distribute different malware samples depending on the location the victim was downloading the fake cleaner from, and the list of these distributed malware samples started to grow.

Azorult, PredatorTheThieff, and Miners started to be distributed but the infection ratio seemed to not be very good for a load reseller. The problem was that you could download the fake software from the fake website, so any AV company could just automatically retrieve all the payloads and blacklist the IOCs automatically.

That’s when the load sellers started to change their way of spreading the fake software. No more G-cleaner direct download around, the distribution is now done by various different crack websites.

Example of crack websites

After running one of those cracks, many different pieces of malware are deployed on the victim’s computer.

Depending on your country, you receive different malware. In January 2021 we observed:

DJVU stats backend

Many others info stealer families were observed and can be found listed as IOCs at the end of the article.

The infrastructure

As mentioned earlier, this loads seller seems to try to hide his servers behind the Brazzzers fast flux. We managed to extract the real location of the backend over time:

cleaner-g.online — 91.243.83.187
cleaner-g.site — 91.243.83.187
gcleaner.info — 91.243.83.187
g-cleaner.info — 91.243.83.187
gcleaner.ru — 91.243.83.187
ggcleaner.top — 91.243.83.187
ggcleaner.xyz — 91.243.83.187
sfccleaner.top — 91.243.83.187
ge-cleaner.tech — 5.182.39.210
ge-cleaner.xyz — 5.182.39.210
ggcleaner.space — 5.182.39.203
ggcleaner.tech — 5.182.39.203
gcc-partners.in — 5.182.39.44

As we can see, despite the frequent renewal of the domains, the backend stayed at the same place for 2 years, showing the efficiency of the Brazzzer Fast flux to protect their servers.

Statistics

We managed to obtain infection statistics for a month of activity, between December 2020 and January 2021.

The G-Cleaner network generated over 150,000 infections worldwide during this timeframe. It’s a huge number considering that December and January are not the best months for the cybercrime industry.

Those infections seem to be split between 4 partners, with each partner targeting a specific region: US, CA, EU and MIX (common word for a bit of every country).

World map of infections
European map showing the clear CIS border

Top 25 infected countries for January 2021:

We can see here that the loads seller seems to bet on quantity and not quality of infections. They infect the maximum number of victims they can, regardless of whether it’s an interesting victim or not. That’s why the majority of malware seen related to this threat is password stealers. They distribute lots of password stealers to collect a huge amount of various credentials for services like Netflix, Apple, Google, Spotify in order to fuel the black market and make extra money.

We unfortunately didn’t find the price list for that particular loads seller, but if we refer to the actual market, Asian and South American bots can be sold for around 0.2 USD per infection, European goes up to 0.60 USD and US bots can be sold for more than 1 USD. So, even working on quantity and not quality we can see that loads selling is a very profitable business.

Recent IOCs

crackedinfo.net
softkeygenpro.com
topkeygen.com
cleaner-g.online
cleaner-g.site
gcleaner.info
g-cleaner.info
gcleaner.ru
ggcleaner.top
ggcleaner.xyz
sfccleaner.top
ge-cleaner.tech
ge-cleaner.xyz
ggcleaner.space
ggcleaner.tech
gcc-partners.in
covid2023.info
f241beb45db9a8b7.xyz
naritouzina.net
prodocomelo.info
dream.pics
landoflegendstore.net
chrome-booster.com
331befdc5416a898.xyz
noabuseshere.top
havalpartsch.top
mmmmonsterpack.info
radrile.xyz
telete.in
topprogress.top
davincieditor.com
wheredoyougo.cn
vjsi.top

Related work

https://www.bleepingcomputer.com/news/security/fake-windows-pc-cleaner-drops-azorult-info-stealing-trojan/

Happy hunting!

--

--