Malware News Ransomware disguises itself as Malwarebytes Anti-malware

[BoraMurdar]

Today, a new ransomware variant has been discovered, which masquerades as Malwarebytes, a well known security company providing anti-malware security software.

In an analysis by MalwareHunter, it was found out that the program is a cryptomalware called DetoxCrypto, which was initially detected back in August.

The malware's file properties were posted on VirusTotal, and it lists the following information:

Clearly enough, the malware developer wants people to think that the program is a legitimate Malwarebytes security software. The poor imitation of the name could be a typographical error, or the developer was simply too lazy to do a quick fact check, and use the real name of the program instead.

It seems that this ransomware variant is in a trial run, as all versions detected still do not have any ability to encrypt a victim's files. Despite this, Christopher Boyd of the real Malwarebytes Labs thinks that the ransomware developer might be preparing for something big. He states:

"What we’re seeing at the moment is what appears to be a kind of trial run for ransomware distribution. There’s a couple of Detox Ransomware files doing the rounds, and though they’re all broken in terms of functionality and / or download / dropper URLs, it’s still a possible sign of things shortly coming around the corner and worth giving a heads up on."

At this point, we advise our readers to be very careful of what they download, and to make sure that the software that they are getting comes from a safe and legitimate website. Cybercriminals are always on the lookout for their next victim, so it's always a good idea to stay protected.

Source: Malwarebytes Labs via Graham Cluley

 

[jamescv7]

Imitating as legitimate, trying hard to copy the trademark and others are not already surprising at all.

Ransomware will do anything just for the sake of money.

 

[harlan4096]

I've copied the hash of that sample from that VirusTotal link and downloaded the file again from Malwr site, but this file was tested some days ago in MalWareHub section in this forum:

https://malwaretips.com/threads/15-09-16-7.63442/#post-543891

And it seems for now that this file does or encrypt anything, I sent, in fact, to KL VirusDesk and got clean verdict, I've in fact tested again in my VM dynamically keeping it for a while running and got the same result: that black window frame with those forms to public & decrypt keys...

 

[Wave]

You know you are the best and baddest malware author on this planet (with an amazing top-notch English skills) when you can't even spell the product name right... /s

This is actually pathetic, the author couldn't even do a quick Google search to see the real spelling of the product name they were trying to imitate. I highly doubt this was done intentionally (they must have genuinely thought this was how it was spelt), what would be the point of misspelling it like this? It doesn't help "fool" anyone, it just makes it more obvious and raises more flags about it being suspicious/malware.

 

[DJ Panda]

Agree with @Wave quite pathedic. They probally scared a few people away from Malwarebytes this way.

 

[_CyberGhosT_]

Is this one of those Nigerian scams ? they spell like that
Seriously though, that's not fooling anyone worth their salt

 

[Wave]

Agree with @Wave quite pathedic. They probally scared a few people away from Malwarebytes this way.

There is just so much wrong with this sample that is is just funny really.

Firstly, they claim on the product info that the product is called "Malwerbyte" but they've made more than one mistake: we know they miss-pelt it for "Malwarebyte", but they forgot that additional "s" at the end of the name to make it "Malwarebytes" (or in this poor case, "Malwerbytes").

Secondly, no digital signature has been used to code sign this Portable Executable - if this sample really was from a reputable source like Malwarebytes, it would have this at the least to prove it's genuine and provide trust. This point right here is an even more obvious suspicion flag raise.

Thirdly, the file size is only 213KB. Nothing more needs to be said about this, it's self-explanatory.

4. Did I mention how they forgot to fill in the gaps in the copyright info between "Copyright ©" and "2016"?

Spoiler

It's just these little details which can help prevent you from being fooled and executing malicious software... paying attention to them can make a big difference between you becoming infected or staying secure!

I think this is close to making it to the top 10 for the worlds "funniest" ransomware attacks of 2016. Wait no, make that the top 5 actually.

 

[CMLew]

There is just so much wrong with this sample that is is just funny really.

Firstly, they claim on the product info that the product is called "Malwerbyte" but they've made more than one mistake: we know they miss-pelt it for "Malwarebyte", but they forgot that additional "s" at the end of the name to make it "Malwarebytes" (or in this poor case, "Malwerbytes").

Secondly, no digital signature has been used to code sign this Portable Executable - if this sample really was from a reputable source like Malwarebytes, it would have this at the least to prove it's genuine and provide trust. This point right here is an even more obvious suspicion flag raise.

Thirdly, the file size is only 213KB. Nothing more needs to be said about this, it's self-explanatory.

4. Did I mention how they forgot to fill in the gaps in the copyright info between "Copyright ©" and "2016"?

Spoiler

It's just these little details which can help prevent you from being fooled and executing malicious software... paying attention to them can make a big difference between you becoming infected or staying secure!

I think this is close to making it to the top 10 for the worlds "funniest" ransomware attacks of 2016. Wait no, make that the top 5 actually.

For us who regularly visit security forum, this wouldn't be an issue. For typical Home Users especially those who aren't exposed to those yet, very likely they gonna run it.

 

[jamescv7]

Don't you think it is an intentional way to confuse users? haha

Remember one of the clever tactics is to lure users from simple mispelled name however UI and such are been attempted to imitate the legitimate functions.

 

[exCode]

I've seen stuff like this before, but mbam? Damn