Team: Huntress EDR
Product: Intuit QuickBooks
Environment: Scamware detection
Summary: Huntress reports on all types of detections, including scamware, where a legitimate looking software is actually malicious. QuickBooks malware is one of those that we report on.
Huntress is aware that reports appear to be reporting QuickBooks as malicious. However, this threat is scamware, masquerading as QuickBooks. We validate this through a number of methods
- The legitimate path for QuickBooks is:
C:\Users\Public\Public Documents\Intuit\QuickBooksdeviations from this are suspicious, for example:
- Legitimate QuickBooks installations have different certificates and signatures to the malicious fake QuickBooks
- We know the legitimate file names that QuickBooks is supposed to use, and we detect variations from this - for example, the single character difference between the legitimate QuickbooksDownloader.exe and the maliciously named QuickbooksDownloder.exe , which is missing the ‘a’ in load.
- This is what the scam QuickBooks will dialogue box will look like
Right-click on the QuickBooks program Huntress has reported
From here, click properties.
In properties, traverse to digital signatures.
If the signer's name is
Solanki Piyushkumar, please note that this is an illegitimate signer for QuickBooks. This means that the QuickBooks software you have is compromised.
Please refer back to the infection report for remediation steps.