A piece of software masquerading as a security product from Malwarebytes is making its rounds on the web and distributing ransomware to unsuspecting users.
This technique isn’t new. Malicious software has been disguising itself as anti-virus solutions since the 1990s.
What’s significant about this particular attack campaign is the crypto-malware behind the mask: DetoxCrypto.
The ransomware has been making quite a stir since researchers first detected it back in August. Already it has two variants to its name: a “Calipso” iteration that takes a screenshot of the victim’s computer, and a Pokémon GO-themed encrypter.
(To be fair, the latter isn’t the only one of its kind.)
But recent developments suggest DetoxCrypto might just be getting started.
Christopher Boyd, a security researcher at Malwarebytes, explains the ransomware could be planning something big for the near future:
“What we’re seeing at the moment is what appears to be a kind of trial run for ransomware distribution. There’s a couple of Detox Ransomware files doing the rounds, and though they’re all broken in terms of functionality and / or download / dropper URLs, it’s still a possible sign of things shortly coming around the corner and worth giving a heads up on.”
That being said, there’s not much for users to worry about for the immediate future.
Take a look at this image taken from the ransomware’s VirusTotal page:
See anything wrong with that entry?
Last time I checked, Malwarebytes isn’t spelled “Malwerbyte.” That should automatically raise a red flag that this product is a fake.
Not only that, but all current versions of “Malwerbyte” that Malwarebytes’ researchers have come across do not encrypt a victim’s files, which means they don’t need to worry about data loss from this ransomware just yet.
But things are fluid in the world of ransomware.
You never know when a malware developer will plug a vulnerability or fix a spelling error in their product.
With that being said, if you are looking to install anti-virus solutions like one of Malwarebytes products, make sure you do so from the vendor’s real website directly. That way you don’t have to worry about any of these middle men potentially pushing malware onto your computer.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.