❗Since mid-December, researchers at Spamhaus have observed an uptick in activity from GCleaner (a.k.a OnlyLogger) malware. Here we can see GCleaner is clearly active, dropping Stealc malware…..

Researchers are seeing two variants of GCleaner, with different infrastructure and URLs for the first request:

1️⃣ A loader - packed with common packers like Dave packer

2️⃣ Impersonating BroomCleaner (as OnlyLogger impersonated GCleaner)

In the example shared, GCleaner is impersonating BroomStealer, and using a library embedded in the NSIS installer to perform the requests.

Is anyone else seeing this activity? Please share your insights in the comments 👇

👀 We'll keep you updated, as we learn more.

#Malware #GCleaner #Stealc #OnlyLogger #BroomStealer #ThreatIntel #ThreatHunting

#NetSupport RAT dropped by #GCleaner Pay-Per-Install (PPI) campaign 🔥

Payload URLs:
🌐 https://urlhaus.abuse.ch/url/2693412/
🌐 https://urlhaus.abuse.ch/url/2693420/

Botnet C2 domains:
📞 https://threatfox.abuse.ch/ioc/1143951/
📞 https://threatfox.abuse.ch/ioc/1143952/

Botnet C2 server hosted Vultr 🇺🇸:
🤖 https://threatfox.abuse.ch/ioc/1143953/

It's been exactly 3 years since I published a malware deep dive report, now that I have some free time I decided to write a new blog about #GCleaner #Loader.

The blog covers string decryption, config extraction, C2 communications among other stuff.

https://n1ght-w0lf.github.io/malware%20analysis/gcleaner-loader/

Lots' to look at...this #gcleaner drops all manner of junk...including a recent (Dec 13) #cryptbot

https://app.any.run/tasks/a2c31fa0-84f5-4b3f-a982-c96b5d94f2ef/#

https://app.any.run/tasks/54a6b1cf-db6b-4003-9f82-f3d81907b19b

c2: luaobe32[.]top

Dear #GCleaner - just because you use "itsnotmalware" in your URL path it doesn't mean that you are actually not malware 😂

Sample:
📄 https://bazaar.abuse.ch/sample/bdb90c7af0a4383b5d6fbd83c4f9ccdd6c2a80bf396cb1da85fe21ed9c6f0093/

GCleaner botnet C2:
👉 https://threatfox.abuse.ch/ioc/1021151/