Fake Malwarebytes Installation Files Distributing Coinminer | Avast

On Friday, August 21, 2020, we began detecting fake Malwarebytes installation files containing a backdoor that loads a Monero miner based on XMRig onto infected PCs. The most prevalent filename under which one of the installation files is being distributed is “MBSetup2.exe”. Avast has protected nearly 100K Avast and AVG users from the fake installation files, which are mostly  spreading in Russia, the Ukraine, and Eastern Europe. As of yet, we do not know where or how the fake installation file is being distributed, but we can confirm that the installation files are not being distributed via official Malwarebytes channels, which remain trusted sources. 

The cybercriminals behind this have repackaged the Malwarebytes installer to contain a malicious payload. The fake installation file, MBSetup2.exe, is an unsigned file which contains malicious dll files called Qt5Help.dll and Qt5WinExtras.dll with invalid digital signatures. All other portable executable (PE) files packed inside the installer are signed with valid Malwarebytes or Microsoft certificates. 

The person or people behind this can change the malicious payload at any time, distributing other malicious programs to infected PCs. 

What happens when the fake installer is launched

After executing one of the fake Malwarebytes installers, a fake Malwarebytes setup wizard appears. The malware installs a fake Malwarebytes program to “%ProgramFiles(x86)%Malwarebytes” and hides a majority of the malicious payload inside one of the two dlls, Qt5Help.dll. The malware notifies victims that Malwarebytes was successfully installed, which is not true, as the program cannot be opened. 

The malware then installs itself as a service called “MBAMSvc” and proceeds to download an additional malicious payload, which is currently a cryptocurrency miner called Bitminer, a Monero miner based on XMRig.

The installation wizard is based on the popular Inno Setup tool which makes it look different from the actual Malwarebytes installer, as can be seen in the screenshots below.

Fake installation setup screen

Real Malwarebytes installation setup screen

How to check if your PC has been infected 

Concerned users can check if they have been infected by searching for one of the following files on their PC: 

  • %ProgramData%VMwareVMware Toolsvmtoolsd.exe
  • %ProgramData%VMwareVMware Toolsvmmem.exe
  • %ProgramData%VMwareVMware Toolsvm3dservice.exe
  • %ProgramData%VMwareVMware Toolsvmwarehostopen.exe

If any of these files are present, all files under “%ProgramFiles(x86)%Malwarebytes” and the executables under “%ProgramData%VMwareVMware Tools” should be deleted, and if possible, the service “MBAMSvc” can also be removed. Avast detects and quarantines the installer and the dll files, making the MBAMSvc service benign. MBAMSvc can be removed by opening an elevated command prompt and executing the command “sc.exe delete MBAMSvc” 

Users who also have the real Malwarebytes software installed should be careful when removing these files, as the actual Malwarebytes program also installs itself to %ProgramFiles%Malwarebytes. To be on the safe side, users can remove all the files in this folder, and reinstall Malwarebytes directly from their website. 

Avast has notified Malwarebytes of the fake installation files being circulated. 

Indicators of Compromise:

Installers (SHA-256 hashes):

dfb1a78be311216cd0aa5cb78759875cd7a2eeb5cc04a8abc38ba340145f72b9

f2caa14fd11685ba28068ea79e58bf0b140379b65921896e227a0c7db30a0f2c

6c8f6d6744e1353a5ed61a6df2be633637e288a511ba082b0a49aea3e96d295a

5c3b72ca262814869e6551e33940dc122e22a48b4f0b831dbe11f85f4b48a330

3ee609ef1c07d774b9fbf7f0f7743c8e7e5ba115162336f0e6e7482b4a72f412

C&C Domains:

dl.bytestech[.]dev

dl.cloudnetbytes[.]com

apis.masterbyte[.]nl
apis.mbytestech[.]com
apis.bytestech[.]dev

Cryptocurrency miners (SHA-256 hashes):

c6a8623e74f5aad94d899770b4a2ac5ef111e557661e09e62efc1d9a3eb1201c
fea67139bc724688d55e6a2fde8ff037b4bd24a5f2d2eb2ac822096a9c214ede

b3755d85548cefc4f641dfb6af4ccc4b3586a9af0ade33cc4e646af15b4390e7
7f7b6939ae77c40aa2d95f5bf1e6a0c5e68287cafcb3efb16932f88292301a4d
c90899fcaab784f98981ce988ac73a72b0b1dbceb7824f72b8218cb5783c6791
61b194c80b6c2d2c97920cd46dd62ced48a419a09179bae7de3a9cfa4305a830

Cryptocurrency miners (filesystem locations):

%ProgramData%VMwareVMware Toolsvmtoolsd.exe

%ProgramData%VMwareVMware Toolsvmmem.exe

%ProgramData%VMwareVMware Toolsvm3dservice.exe

%ProgramData%VMwareVMware Toolsvmwarehostopen.exe