Monero miner based on XMRig infects PCs via illegitimate software downloads
On Friday, August 21, 2020, we began detecting fake Malwarebytes installation files containing a backdoor that loads a Monero miner based on XMRig onto infected PCs. The most prevalent filename under which one of the installation files is being distributed is “MBSetup2.exe”. Avast has protected nearly 100K Avast and AVG users from the fake installation files, which are mostly spreading in Russia, the Ukraine, and Eastern Europe. As of yet, we do not know where or how the fake installation file is being distributed, but we can confirm that the installation files are not being distributed via official Malwarebytes channels, which remain trusted sources.
The cybercriminals behind this have repackaged the Malwarebytes installer to contain a malicious payload. The fake installation file, MBSetup2.exe, is an unsigned file which contains malicious dll files called Qt5Help.dll and Qt5WinExtras.dll with invalid digital signatures. All other portable executable (PE) files packed inside the installer are signed with valid Malwarebytes or Microsoft certificates.
The person or people behind this can change the malicious payload at any time, distributing other malicious programs to infected PCs.
What happens when the fake installer is launched
After executing one of the fake Malwarebytes installers, a fake Malwarebytes setup wizard appears. The malware installs a fake Malwarebytes program to "%ProgramFiles(x86)%Malwarebytes" and hides a majority of the malicious payload inside one of the two dlls, Qt5Help.dll. The malware notifies victims that Malwarebytes was successfully installed, which is not true, as the program cannot be opened.
The malware then installs itself as a service called "MBAMSvc" and proceeds ..
Support the originator by clicking the read the rest link below.
