Attackers Use Fake Ad Blocker Executables to Spread Monero Miners
Researchers at SecureList have discovered several fake apps delivering a Monero cryptocurrency miner to user’s computers. They are being distributed through malicious websites that may turn up in the victim’s search results. Evidence suggests that this new wave of attacks is a continuation of the Summer 2020 campaign that used fake Malwarebytes executables to spread malicious mining software.
The cybercriminals behind this have repackaged the Malwarebytes installer to contain a malicious payload. The fake installation file, MBSetup2.exe, is an unsigned file which contains malicious dll files called Qt5Help.dll and Qt5WinExtras.dll with invalid digital signatures. All other portable executable (PE) files packed inside the installer are signed with valid Malwarebytes or Microsoft certificates.
In this latest campaign, multiple apps were impersonated by the malware: the ad blockers AdShield and Netshield, as well as the OpenDNS service.
As of February 2021, there have been attempts to install the fake applications on the devices of more than seven-thousand users. At the peak of the current campaign, more than 2,500 unique users per day were attacked, with most of the victims located in Russia and CIS countries.
How to remove the miner
If the QtWinExtras.dll file is detected on your device, reinstall Malwarebytes. If Malwarebytes is not in the list of apps, you need to delete all the following folders that are on the disk:
- %program files%\malwarebytes
- program files (x86)\malwarebytes
- %windir%\.old\program files\malwarebytes
- %windir%\.old\program files (x86)\malwarebytes
If flock.exe is detected on your device:
- Uninstall NetshieldKit, AdShield, uninstall or reinstall OpenDNS (whichever is installed on your device).
- Reinstall the Transmission torrent client or uninstall it if you don’t need it.
- Delete the folders (if present on the disk)
- C:\ProgramData\Flock
- %allusersprofile%\start menu\programs\startup\flock
- %allusersprofile%\start menu\programs\startup\flock2
- Delete the servicecheck_XX task (where XX are random numbers) in Windows Task Scheduler.
IOCs
DNS
- 142[.]4[.]214[.]15
- 185[.]201[.]47[.]42
- 176[.]31[.]103[.]74
- 37[.]59[.]58[.]122
- 185[.]192[.]111[.]210
Domains
- adshield[.]pro
- transmissionbt[.]org
- netshieldkit[.]com
- opendns[.]info
Hashes
- 5aa0cda743e5fbd1d0315b686e5e6024 (AdShield installer)
- 81BC965E07A0D6C9E3EB0124CDF97AA2 (updater.exe)
- ac9e74ef5ccab1d5c2bdd9c74bb798cc (modified Transmission installer)
- 9E989EF2A8D4BC5BA1421143AAD59A47 (NetShield installer)
- 2156F6E4DF941600FE3F44D07109354E (OpenDNS installer)