Compromised BleachBit Website Infects Users with the Data-Stealing AZORult Malware

BleachBit is a well-known application among Linux, Windows, and macOS users who wish to reclaim disk space by deleting disposable data. Having over one million downloads on Sourceforge, BleachBit has gained a significant momentum, while cyber crooks have found a way to monetize the huge popularity of the tool. They have created a fake copy of the official BleachBit website through which they spread an info-stealing malware threat named AZORult. 

For AZORult, it is known that it has been around since 2016 and that it is quite accessible - those interested could buy it for about $100 on Russian hacking forums. It is able to collect a broad variety of sensitive user data, like saved logins, login credentials, desktop and text files, browsing data, cryptocurrency data, and many more. The threat can also act as a downloader for other malware, while researchers recently discovered that a variant of AZORult can create a hidden admin account on infected computers to establish a Remote Access Protocol connection.

This Week In Malware Ep 11: AZORult Trojan Using Fake ProtonVPN Installer to Trick Computer Users

Appealing websites often leveraged by cyber crooks

The fake BleachBit website looks appealing as the malware actors designed it to resemble the original page of the app, recreating its the general ideas and details. What may also fool many users is the domain that the attackers use - "bleachbitcleaner[.]com". There some alarm bells on the site as well which more experienced users should be able to notice - there is only one link available on the website, while the embedded online tutorial is for a beta version of the program released in 2009.

After discovering the fake BleachBit website, researchers traced back the payload trail to the file-sharing platform Dropbox. The server to which AZORult sends the stolen data could also be tracked down - it is named "twooo[.]cn". The binary of the corrupted BleachBit copy could have the same name as the legit app, yet it lacks the official icon. Once installed on a machine, the data-stealer contacts its Command-and-Control server to get instructions. Researchers are still not sure how potential victims land on the malicious BleachBit download site. Probably, it ranks high in search engines due to its profile, or the attackers manually push it on support forums among users who are interested in the topic of securely deleting sensitive data.

Many anti-virus tools on VirusTotal scanning platform are able to detect AZORult binary and ZIP archive, though detection rates are still not high enough. Apart from the fake BleachBit website, AZORult also exploits the typical malware distribution channels like phishing campaigns and social engineering techniques. Other malware families like Emotet and Ramnit are also known for downloading AZORult.