Security researchers have observed a new CyrptoJacking campaign where fake Malwarebytes installation files distribute cryptocurrency malware onto infected PCs. These coinminer programs generate cryptocurrencies such as Bitcoin, Ethereum, Monero, and others.
Fake Malwarebytes Coinminer on the loose
Last week, security researchers were able to detect fake Malwarebytes installations files. According to researchers, these files contained a backdoor that distributed coinminer onto infected PCs. Based on XMRig, the malware campaign could generate Monero cryptocurrency.
The installation file in question is MBSetup2.exe. This cryptojacking campaign is spreading in Russia, Ukraine, and Eastern Europe.
“As of yet, we do not know where or how the fake installation file is being distributed, but we can confirm that the installation files are not being distributed via official Malwarebytes channels, which remain trusted sources,” security researchers said in their blog post.
Researchers believe malware operators repackaged the Malwarebytes installer to distribute a malicious payload. For instance, the fake Malwarebytes installation file MBSetup2.exe consists of malicious DLL files Qt5Help.dll and Qt5WinExtras.dll. All other installation files are signed with valid Malwarebytes or Microsoft certificates.
This cryptojacking campaign allows operators to make changes to the malicious payload at any time, allowing them to distribute other malicious programs to infected computers.
The execution of a fake Malwarebytes installer shows a fake setup wizard. It installs the fake program to the following directory:
%ProgramFiles(x86)%\Malwarebytes
A majority of the malicious payload remains hidden inside Qt5Help.dll.
It then notifies victims that Malwarebytes was successfully installed.
“The malware then installs itself as a service called “MBAMSvc” and proceeds to download an additional malicious payload, which is currently a cryptocurrency miner called Bitminer, a Monero miner based on XMRig.”
Fake Malwarebytes installation setup screen looks different than the real one.
Malwarebytes users must check if they have been infected by a coinminer. All you need to do is search for one of the following files on your PC:
%ProgramData%\VMware\VMware Tools\vmtoolsd.exe
%ProgramData%\VMware\VMware Tools\vmmem.exe
%ProgramData%\VMware\VMware Tools\vm3dservice.exe
%ProgramData%\VMware\VMware Tools\vmwarehostopen.exe
If your PC can detect the presence of any of the above-mentioned files, the fake installation should automatically be removed.
We also take a look at some of the best Bitcoin mining software for Windows 10.
