FakeMBAM Backdoor Description
The FakeMBAM Backdoor is a Remote Access Threat propagated through the automatic updates of a torrent client (Download Studio) and three adblocker programs - NetShield Kit, My AdBlock, and Net AdBlock. Download Studio is a free torrent client that is popular in Russia and Ukraine mostly. As a result, most of the users affected by the FakeMBAM Backdoor are from these two countries as well. There is no concrete explanation about why the torrent client and the advertising block programs began delivering a backdoor threat through its automatic updates suddenly. Infosec researchers, however, found some disturbing aspects like code similarities between all four programs. There also is the fact that the websites for the three ad blockers are hosted from the same IP address, apparently.
The FakeMBAM Backdoor itself is hidden inside an installer that attempts to deceive the user that it is a legitimate installer. The hackers went to great lengths to recreate as much of a legit program as they were able. There are two impostors, though. The fake installer drops one modified DLL file named 'Qt5WinExtras.dll,' one corrupted DLL file - 'Qt5Help.dll,' and a new 'data.pak.' The 'Qt5WinExtras.dll' mimic a file with the same name from a legitimate program, but this one has a function inserted into it that calls a function exported to 'Qt5Help.dll.'
The main threatening functionality is performed by the 'Qt5Help.dll' file. It is responsible for establishing persistence mechanisms, containing the Command-and-Control servers, waiting for instructions, and delivering persistent payloads that are then stored in an encrypted form in the 'data.pak' file. Most of these payloads detected by the researchers were from cryptocurrency miners, but the hackers could expand the delivered malware threats easily. Especially when the FakeMBAM Backdoor can handle several threatening payloads at the same time. FakeMBAM is capable of executing each payload in six different ways depending on the received commands while also performing a specific setup action before the execution of the payload.