The team at Avast has recently discovered a new campaign that infects a victim’s computer with a crypto miner after downloading an illegitimate version of the popular Malwarebytes anti-malware program. The cybercriminals behind this attack have repackaged the fake installer to include a backdoor that includes the Monero Miner and remains open to the attackers so they can change the malicious payload at their leisure. Currently, Avast is unclear on how the fake installer is being distributed but it is not through the official Malwarebytes website. The malware has been detected recently spreading through Russia, Ukraine, and Eastern Europe. After executing the fake installer, the malware installs a fake, unsigned version of Malwarebytes to “%ProgramFiles(x86)%\Malwarebytes” and hides a majority of the malicious payload inside one of two DLL files, Qt5Help.dll and Qt5WinExtras.dll, which do not have valid digital signatures. The fake installation wizard is based on the popular Inno Setup tool which makes it look authentic, but with some differences to the authentic installer.
By Anthony Zampino Introduction Leading up to the most recent Russian invasion of Ukraine in