Beware Fake Malwarebytes distributing coin miner
Avast Team detected On 21/08/2020 a fake Malwarebytes installer containing a backdoor that loads a Monero miner based on XMRig onto infected PCs. The most common file name that being distributed is “MBSetup2.exe”. Avast team protected nearly 100K by Avast and AVG antivirus users from this fake installer, they start spreading in Russia, the Ukraine, and Eastern Europe, but still searching where or how the fake installation file is being distributed, these installation files are not being distributed via official Malwarebytes channels.
The cyber criminals have repackaged the Malwarebytes installer to contain a malicious payload. The fake installation file, MBSetup2.exe, is an unsigned file which contains malicious dll files called Qt5Help.dll and Qt5WinExtras.dll with invalid digital signatures, and all other portable executable (PE) files packed inside the installer are signed with valid Malwarebytes or Microsoft certificates. These cyber criminals can change the malicious payload at any time, distributing other malicious programs to infected PCs.
What will happen when the fake app is launched?
After executing fake Malwarebytes installers, a fake Malwarebytes setup wizard appears. The malware installs a fake Malwarebytes program to "%ProgramFiles(x86)%\Malwarebytes" and hides a majority of the malicious payload inside one of the two dlls, Qt5Help.dll and Qt5WinExtras.dll. The malware notifies victims that Malwarebytes was successfully installed, but in fact the program cannot be opened.
The malware then installs itself as a service called "MBAMSvc" and proceeds to download an additional malicious payload, which is currently a cryptocurrency miner called Bitminer, a Monero miner based on XMRig.
The installation wizard is based on the popular Inno Setup tool which makes it look different from the actual Malwarebytes installer, as can be seen in the screenshots below.
The malware then installs itself as a service called "MBAMSvc" and proceeds to download an additional malicious payload, which is currently a cryptocurrency miner called Bitminer, a Monero miner based on XMRig.
The installation wizard is based on the popular Inno Setup tool which makes it look different from the actual Malwarebytes installer, as can be seen in the screenshots below.
this is a Fake setup screen
this is the Real Malwarebytes setup screen
To check if your PC has been infected
it's easy, you can check if they have been infected by searching for one of the following files on their PC:
%ProgramData%\VMware\VMware Tools\vmtoolsd.exe
%ProgramData%\VMware\VMware Tools\vmmem.exe
%ProgramData%\VMware\VMware Tools\vm3dservice.exe
%ProgramData%\VMware\VMware Tools\vmwarehostopen.exe
To check if your PC has been infected
it's easy, you can check if they have been infected by searching for one of the following files on their PC:
%ProgramData%\VMware\VMware Tools\vmtoolsd.exe
%ProgramData%\VMware\VMware Tools\vmmem.exe
%ProgramData%\VMware\VMware Tools\vm3dservice.exe
%ProgramData%\VMware\VMware Tools\vmwarehostopen.exe
If you found any of these files, we advise you to delete all files under "%ProgramFiles(x86)%\Malwarebytes" and the executables under "%ProgramData%\VMware\VMware Tools\" , and the service "MBAMSvc" can also be stopped then removed.
Avast can detect and quarantine the installer and the dll files, making the MBAMSvc service benign. MBAMSvc can be removed by opening an elevated command prompt and executing the command "sc.exe delete MBAMSvc"
Users who also have the real Malwarebytes software installed should be careful when removing these files, as the actual Malwarebytes program also installs itself to %ProgramFiles%\Malwarebytes. To be on the safe side, users can remove all the files in this folder, and reinstall Malwarebytes directly from their website.
