Cybersecurity researchers on Tuesday lifted the lid on a beforehand undocumented malware pressure dubbed “MosaicLoader” that singles out people looking for cracked software program as a part of a worldwide marketing campaign.
“The attackers behind MosaicLoader created a bit of malware that may ship any payload on the system, making it probably worthwhile as a supply service,” Bitdefender researchers mentioned in a report shared with The Hacker Information. “The malware arrives on the right track methods by posing as cracked installers. It downloads a malware sprayer that obtains an inventory of URLs from the C2 server and downloads the payloads from the obtained hyperlinks.”
The malware has been so named due to its refined inside construction that is orchestrated to stop reverse-engineering and evade evaluation.
Assaults involving MosaicLoader depend on a well-established tactic for malware supply referred to as SEO (website positioning) poisoning, whereby cybercriminals buy advert slots in search engine outcomes to spice up their malicious hyperlinks as prime outcomes when customers seek for phrases associated to pirated software program.
Upon a profitable an infection, the preliminary Delphi-based dropper — which masquerades as a software program installer — acts as an entry level to fetch next-stage payloads from a distant server and likewise add local exclusions in Windows Defender for the 2 downloaded executables in an try to thwart antivirus scanning.
It is value declaring that such Home windows Defender exclusions might be discovered within the registry keys listed under:
- File and folder exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsPaths
- File kind exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsExtensions
- Course of exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsProcesses
One of many binaries, “appsetup.exe,” is conceived to attain persistence on the system, whereas the second executable, “prun.exe,” capabilities as a downloader for a sprayer module that may retrieve and deploy a wide range of threats from an inventory of URLs, starting from cookie stealers to cryptocurrency miners, and much more superior implants like Glupteba.
“prun.exe” can be notable for its barrage of obfuscation and anti-reverse methods that contain separating code chunks with random filler bytes, with the execution movement designed to “bounce over these elements and solely execute the small, significant chunks.”
Given MosaicLoader’s wide-ranging capabilities, compromised methods might be co-opted right into a botnet that the menace actor can then exploit to propagate a number of and evolving units of refined malware, together with each publicly obtainable and customised malware, to acquire, increase, and preserve unauthorized entry to sufferer computer systems and networks.
“One of the best ways to defend in opposition to MosaicLoader is to keep away from downloading cracked software program from any supply,” the researchers mentioned. “Apart from being in opposition to the legislation, cybercriminals look to focus on and exploit customers looking for unlawful software program,” including it is important to “examine the supply area of each obtain to guarantee that the recordsdata are official.”