Friday, July 23, 2021

MosaicLoader malware targets cracked software via SEO poisoning

Must Read

More than a third of UK tech Companies experienced at least one cyber Incident in 2020

Cybercriminals do everything they can to make the lives of these operating in the technology, telecommunications, and media business...

Near Up to 350,000 Spotify Users Targeted by Credential Stuffers

Security researchers have assisted Spotify handles a potentially considerable credential stuffing campaign after having an unsecured cloud database containing...

Microsoft joins Space ISAC as a founding member to support cybersecurity

The Space Information Sharing and Analysis Center (ISAC) welcomed its newest member, Microsoft, on June 23 with an announcement...

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious links when users search for terms related to that Cracked Software.

Cybersecurity researchers From Bitdefender on Tuesday published research on a previously undocumented malware strain dubbed “MosaicLoader” that singles out individuals searching for cracked software as part of a global campaign.

MosaicLoader is a malware downloader designed by its creators to deploy more second-stage payloads on infected systems.

“The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links.”

“We named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering,” Janos Gergo Szeles, Senior Security Researcher at Bitdefender.

Once planted on the system, the malware creates a complex chain of processes and tries to download a variety of threats, from simple cookie stealers, crypto-currency miners to fully-fledged backdoors such as Glupteba.

During their investigation, Bitdefender found that MosaicLoader threat actors used the following tactics to hinder researchers’ malware analysis efforts and to increase their attacks’ rate of success:

  • Mimicking file information that is similar to legitimate software
  • Code obfuscation with small chunks and shuffled execution order
  • Payload delivery mechanism infecting the victim with several malware strains

Exclusion of windows defender via Powershell

Interestingly, Windows Defender exclusion can be found in the registry keys below.

  • File and folder exclusions – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
  • File type exclusions – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
  • Process exclusions – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes

The researcher added that the campaign doesn’t target a specific region. Due to online advertising, it will attempt to infect any search engine users looking to download and install cracked software installers on their devices.

The stolen info can later be used to hijack victims’ online accounts and use the gained access in identity theft scams or blackmail scams.

Given MosaicLoader’s wide-ranging capabilities, compromised systems can be co-opted into a botnet that the threat actor can then exploit to propagate multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand, and maintain unauthorized access to victim computers and networks.

“Besides being against the law, cybercriminals look to target and exploit users searching for illegal and Cracked software.”

Recommendations to Defend Yourself

Mosaic predominantly targets victims looking for cracked software – we advise users that they do not download and install applications from untrusted websites.

Businesses should apply the IOCs to their EDR systems to ensure that employees working from home (who are at higher risk for downloading cracked software) are not impacted.

a2434345d63481a40f0d145881b41013?s=96&d=mm&r=g
Priyanshu Vijayvargiya
Founder and Editor-in-Chief of 'Virtualattacks Inc' Priyanshu Vijayvargiya is a cybersecurity analyst, Information Security professional, developer, and a white hat hacker.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest News

OAIC: Uber found to have interfered with the privacy of over 1.2 million Australians

The Office of the Australian Information Commissioner (OAIC) has determined that Uber Technologies, Inc. and Uber B.V. have interfered...

Over 80 US Municipalities data are exposed due to Misconfigured Amazon S3

A team of Cybersecurity researchers at Wizcase found major data exposure of Over 80 US Municipalities due to the Misconfigured Amazon S3 Bucket. This happened...

Formbook malware Upgraded as an XLoader malware to Attack macOS Systems

Researchers have spotted an upgraded malware variant of Formbook malware which is now Upgraded as an XLoader malware to Attack macOS Systems. Cybersecurity researchers on...

Millions of HP, Samsung, Xerox Printers are Vulnerable to 16 year old bug

A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver...

MosaicLoader malware targets cracked software via SEO poisoning

New MosaicLoader malware targets users that are searching to download cracked software. Cybercriminals run ad campaigns in search engine results to boost their malicious...

More Articles Like This