FakeMBAM Backdoor

The FakeMBAM Backdoor is a backdoor Trojan that provides attackers with remote access, which it leverages for running cryptocurrency-mining tools currently. This Trojan's campaign abuses self-updating features in ad-blocking add-ons and a torrent manager for achieving installations without notifying the user. Users should remove all compromised software, delete the FakeMBAM Backdoor through anti-malware services, and check their Windows Defender settings for unwanted changes.

Through Ad-Blockers and More

Strong circumstantial evidence implies that a new backdoor Trojan, the FakeMBAM Backdoor, is getting its distribution through workers with access to the code of one of Russia's most popular torrenting applications. Download Studio is one of several pseudo-bundles for the FakeMBAM Backdoor, which also uses a copy-paste series of ad-blocker add-ons for browsers. In most cases, this threat's background installation is silent, although the FakeMBAM Backdoor also has a bold backup plan.

The possibility of Download Studio employees, rogue, or otherwise, being part of the FakeMBAM Backdoor's campaign is a logical conclusion of unmistakable similarities in obfuscation, and C&C addresses that the Trojan shares with the other programs. The FakeMBAM Backdoor's installation exploit abuses the auto-update process and suppresses visual elements, like icons and pop-up messages, with several command-line arguments. Additionally, malware experts confirm that the statistics on the FakeMBAM Backdoor infections roughly align with Download Studio's user base in Russia and neighboring countries.

The FakeMBAM Backdoor's threat actor puts significant work into making the Trojan look like a cyber-security program. The disguise goes to the point where launching that program's executable also loads the Trojan's corrupted DLLs if they're in the same folder. The FakeMBAM Backdoor's craftsmanship, such as file names, directories, and even its installation screen, imitate the security  program without being identical and therefore risking overwriting the program or causing other conflicts.

Meanwhile, with the users' trust reassured, even if they notice the system changes, the FakeMBAM Backdoor proceeds with stereotypical backdoor Trojan attacks that let attackers control the computer's installed programs and settings.

Getting to What's Really Inside a Fake Program

The FakeMBAM Backdoor doesn't bundle with or run the program it imitates, and its imitation seems nothing more than a sleight of hand for distracting users away from its installation and persistence. Like the installation, the FakeMBAM Backdoor's payload persists while avoiding the user's attention. It can maintain Command & Control contact with the attacker's servers on a never-ending loop and handles various software management issues, such as terminating unwanted processes or reinstalling programs that the user uninstalls.

For now, malware experts can't confirm attacks other than the FakeMBAM Backdoor's installing cryptocurrency-mining tools. This usage also synergizes with some of this campaign's associated domains, with relationships to XMRig (a widely-used mining tool due to its potentially-low system impact and availability). This software 'monetizes' victims' systems by using their hardware, such as the CPU, automatically and channeling the funds to the threat actor's wallet.

Malware analysts recommend uninstalling ad-blocker software that matches the brands of this campaign currently, including My AdBlock, Net Adblock, and Netshield Kit (all of which are identical, beneath the hood), as well as the Download Studio torrent application. Employing suitable anti-malware programs for disinfection will delete the FakeMBAM Backdoor and these related programs, along with any additional payloads, like XMRig.

There's a great deal worth being suspicious about when it comes to the FakeMBAM Backdoor. Although it's blatantly illicit, the fingerprints in its code suggest a more murky relationship with applications that some users find helpful – but can, ever so quietly, be threatening.