MosaicLoader is provided through paid advertisements in search engine result designed to lure users looking for split software to infect their gadgets.
” The assaulters behind MosaicLoader developed a piece of malware that can deliver any payload on the system, making it potentially rewarding as a delivery service,” researchers at Bitdefender described.
Scientists say that “Once the malware impacts a system, it produces a complicated chain of procedures and tries to download a variety of threats, from easy cookie thiefs, crypto-currency miners to fully-fledged backdoors such as Glupteba”.
Bitdefender scientists observed the malware sprayer providing Facebook cookie thiefs, which exfiltrate login information, this enables cyberattackers to take control of accounts, create posts that spread malware or those that trigger reputational damage.
Glupteba is a kind of malware that produces a backdoor onto infected systems, which can then be utilized to take delicate details, including passwords and usernames, along with monetary info.
The new MosaicLoader malware, a password-stealing Windows malware is distributed through adverts for split software. The cybersecurity company Bitdefender alerts as the malware sets up cryptocurrency miners and delivers trojan malware and those behind it wish to offer access to Windows PCs onto other cybercriminals.
The malware spreads a range of RATs for espionage purposes, which can log keystrokes, record audio from the microphone and images from the webcam, capture screenshots and so on.
Execution Flow Of MosaicLoader
Simulating file info that is similar to legitimate software
Code obfuscation with little pieces and mixed execution order
Payload shipment mechanism contaminating the victim with several malware strains
Execution FlawFirst Stage: MosaicLoader
It is used to attain persistence on the system. The appsetup.exe signs up as a service called “pubgame-updater” to run every now and then, making sure that even if the determination pc registry secret gets cleaned up, it adds it again.
The setup of a dropper begins, which mimics legitimate software: Researchers evaluated icons and “variation info” that reflect those utilized for genuine applications. Then the dropper contacts C2 and downloads the.zip submit including appsetup.exe, and prun.exe.
Second Stage: appsetup.exe
2nd Stage: prun.exe
The prun.exe uses mathematical operations with big numbers to obtain worths required by the program. It employs a process-hollowing strategy to inject code into a recently developed process to interact with the C2 to download the final phase: A malware sprayer.
Stage 3: Malware Sprayer
It downloads a list of malware from a list of URLs controlled by the assailants that host malware and perform them. Thus, it can provide any malware on the system.
How to Defend versus the Malware?
You can follow us on Linkedin, Twitter, Facebook for everyday Cybersecurity and hacking news updates.
Users ought to never turn off their security solution when it obstructs the installation of software downloaded from the internet, as opponents have become competent at bundling legitimate apps with malware.
Researchers advise that users need to not download and set up applications from untrusted websites. Organizations should apply the IOCs to their EDR systems to guarantee that workers working from house (who are at greater threat for downloading split software application) are not affected.