The team at Avast has recently discovered a new campaign that infects a victim’s computer with a crypto miner after downloading an illegitimate version of the popular Malwarebytes anti-malware program. The cybercriminals behind this attack have repackaged the fake installer to include a backdoor that includes the Monero Miner and remains open to the attackers so they can change the malicious payload at their leisure. Currently, Avast is unclear on how the fake installer is being distributed but it is not through the official Malwarebytes website. The malware has been detected recently spreading through Russia, Ukraine, and Eastern Europe. After executing the fake installer, the malware installs a fake, unsigned version of Malwarebytes to “%ProgramFiles(x86)%Malwarebytes” and hides a majority of the malicious payload inside one of two DLL files, Qt5Help.dll and Qt5WinExtras.dll, which do not have valid digital signatures. The fake installation wizard is based on the popular Inno Setup tool which makes it look authentic, but with some differences to the authentic installer.
Detecting execution of unsigned programs and invalid digital signatures of .exe and DLL files is a useful threat hunting query, although it is common for older files with expired certificates to be executed. Computer users who wish to download and use Malwarebytes should only use the downloader that is located on the company’s website which is a trusted source. It is also advisable to keep any anti-virus program updated so that it can detect and defend from new threats. Currently, Avast states that they have already protected nearly 100,000 users from this fake installation.
Source Article: https://blog.avast.com/fake-malwarebytes-installation-files-distributing-coinminer