Cybersecurity researchers on Tuesday lifted the lid on a beforehand undocumented malware pressure dubbed “MosaicLoader” that singles out people looking for cracked software program as a part of a world marketing campaign.
“The attackers behind MosaicLoader created a bit of malware that may ship any payload on the system, making it probably worthwhile as a supply service,” Bitdefender researchers mentioned in a report shared with The Hacker Information. “The malware arrives on course programs by posing as cracked installers. It downloads a malware sprayer that obtains a listing of URLs from the C2 server and downloads the payloads from the obtained hyperlinks.”
The malware has been so named due to its refined inner construction that is orchestrated to forestall reverse-engineering and evade evaluation.
Assaults involving MosaicLoader depend on a well-established tactic for malware supply known as search engine marketing (search engine optimization) poisoning, whereby cybercriminals buy advert slots in search engine outcomes to spice up their malicious hyperlinks as prime outcomes when customers seek for phrases associated to pirated software program.
Upon a profitable an infection, the preliminary Delphi-based dropper — which masquerades as a software program installer — acts as an entry level to fetch next-stage payloads from a distant server and in addition add local exclusions in Windows Defender for the 2 downloaded executables in an try and thwart antivirus scanning.
It is price stating that such Home windows Defender exclusions might be discovered within the registry keys listed beneath:
- File and folder exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsPaths
- File sort exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsExtensions
- Course of exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsProcesses
One of many binaries, “appsetup.exe,” is conceived to attain persistence on the system, whereas the second executable, “prun.exe,” features as a downloader for a sprayer module that may retrieve and deploy a wide range of threats from a listing of URLs, starting from cookie stealers to cryptocurrency miners, and much more superior implants like Glupteba.
“prun.exe” can be notable for its barrage of obfuscation and anti-reverse methods that contain separating code chunks with random filler bytes, with the execution movement designed to “soar over these components and solely execute the small, significant chunks.”
Given MosaicLoader’s wide-ranging capabilities, compromised programs might be co-opted right into a botnet that the menace actor can then exploit to propagate a number of and evolving units of refined malware, together with each publicly accessible and customised malware, to acquire, broaden, and keep unauthorized entry to sufferer computer systems and networks.
“The easiest way to defend in opposition to MosaicLoader is to keep away from downloading cracked software program from any supply,” the researchers mentioned. “In addition to being in opposition to the legislation, cybercriminals look to focus on and exploit customers looking for unlawful software program,” including it is important to “examine the supply area of each obtain to guarantee that the recordsdata are reliable.”