Malware News Ransomware disguises itself as Malwarebytes Anti-malware

BoraMurdar

Super Moderator
Thread author
Verified
Staff Member
Well-known
Aug 30, 2012
6,598
Today, a new ransomware variant has been discovered, which masquerades as Malwarebytes, a well known security company providing anti-malware security software.

In an analysis by MalwareHunter, it was found out that the program is a cryptomalware called DetoxCrypto, which was initially detected back in August.

The malware's file properties were posted on VirusTotal, and it lists the following information:

1474370937_file-information.jpg


Clearly enough, the malware developer wants people to think that the program is a legitimate Malwarebytes security software. The poor imitation of the name could be a typographical error, or the developer was simply too lazy to do a quick fact check, and use the real name of the program instead.

It seems that this ransomware variant is in a trial run, as all versions detected still do not have any ability to encrypt a victim's files. Despite this, Christopher Boyd of the real Malwarebytes Labs thinks that the ransomware developer might be preparing for something big. He states:

"What we’re seeing at the moment is what appears to be a kind of trial run for ransomware distribution. There’s a couple of Detox Ransomware files doing the rounds, and though they’re all broken in terms of functionality and / or download / dropper URLs, it’s still a possible sign of things shortly coming around the corner and worth giving a heads up on."

At this point, we advise our readers to be very careful of what they download, and to make sure that the software that they are getting comes from a safe and legitimate website. Cybercriminals are always on the lookout for their next victim, so it's always a good idea to stay protected.

Source: Malwarebytes Labs via Graham Cluley
 

harlan4096

Super Moderator
Verified
Staff Member
Malware Hunter
Well-known
Apr 28, 2015
8,915
I've copied the hash of that sample from that VirusTotal link and downloaded the file again from Malwr site, but this file was tested some days ago in MalWareHub section in this forum:

https://malwaretips.com/threads/15-09-16-7.63442/#post-543891

And it seems for now that this file does or encrypt anything, I sent, in fact, to KL VirusDesk and got clean verdict, I've in fact tested again in my VM dynamically keeping it for a while running and got the same result: that black window frame with those forms to public & decrypt keys...
 
Last edited:
W

Wave

You know you are the best and baddest malware author on this planet (with an amazing top-notch English skills) when you can't even spell the product name right... /s

This is actually pathetic, the author couldn't even do a quick Google search to see the real spelling of the product name they were trying to imitate. I highly doubt this was done intentionally (they must have genuinely thought this was how it was spelt), what would be the point of misspelling it like this? It doesn't help "fool" anyone, it just makes it more obvious and raises more flags about it being suspicious/malware.
 
Last edited by a moderator:

_CyberGhosT_

Level 53
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Aug 2, 2015
4,286
Is this one of those Nigerian scams ? they spell like that :p
Seriously though, that's not fooling anyone worth their salt ;)
 
W

Wave

Agree with @Wave quite pathedic. They probally scared a few people away from Malwarebytes this way. :(
There is just so much wrong with this sample that is is just funny really.

Firstly, they claim on the product info that the product is called "Malwerbyte" but they've made more than one mistake: we know they miss-pelt it for "Malwarebyte", but they forgot that additional "s" at the end of the name to make it "Malwarebytes" (or in this poor case, "Malwerbytes").

Secondly, no digital signature has been used to code sign this Portable Executable - if this sample really was from a reputable source like Malwarebytes, it would have this at the least to prove it's genuine and provide trust. This point right here is an even more obvious suspicion flag raise.

Thirdly, the file size is only 213KB. Nothing more needs to be said about this, it's self-explanatory.

4. Did I mention how they forgot to fill in the gaps in the copyright info between "Copyright ©" and "2016"?

It's just these little details which can help prevent you from being fooled and executing malicious software... paying attention to them can make a big difference between you becoming infected or staying secure!

I think this is close to making it to the top 10 for the worlds "funniest" ransomware attacks of 2016. Wait no, make that the top 5 actually.
 

CMLew

Level 23
Verified
Well-known
Oct 30, 2015
1,251
There is just so much wrong with this sample that is is just funny really.

Firstly, they claim on the product info that the product is called "Malwerbyte" but they've made more than one mistake: we know they miss-pelt it for "Malwarebyte", but they forgot that additional "s" at the end of the name to make it "Malwarebytes" (or in this poor case, "Malwerbytes").

Secondly, no digital signature has been used to code sign this Portable Executable - if this sample really was from a reputable source like Malwarebytes, it would have this at the least to prove it's genuine and provide trust. This point right here is an even more obvious suspicion flag raise.

Thirdly, the file size is only 213KB. Nothing more needs to be said about this, it's self-explanatory.

4. Did I mention how they forgot to fill in the gaps in the copyright info between "Copyright ©" and "2016"?

It's just these little details which can help prevent you from being fooled and executing malicious software... paying attention to them can make a big difference between you becoming infected or staying secure!

I think this is close to making it to the top 10 for the worlds "funniest" ransomware attacks of 2016. Wait no, make that the top 5 actually.

For us who regularly visit security forum, this wouldn't be an issue. For typical Home Users especially those who aren't exposed to those yet, very likely they gonna run it.
 
  • Like
Reactions: Der.Reisende

jamescv7

Level 85
Verified
Honorary Member
Mar 15, 2011
13,070
Don't you think it is an intentional way to confuse users? haha

Remember one of the clever tactics is to lure users from simple mispelled name however UI and such are been attempted to imitate the legitimate functions.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top