Article
Network Security

What is MosaicLoader malware and how does it work?

By Tilly Kenyon
July 22, 2021
undefined mins
Share
MosaicLoader malware can be used to steal passwords, install cryptocurrency miners and deliver trojan malware, warn researchers from Bitdefender

A never-before-documented malware strain dubbed MosaicLoader is spreading worldwide. 

According to Bitdefender researchers who discovered the malware, the loader is spreading worldwide through paid ads in search results, targeting people looking for pirated software and games. It masquerades as a cracked software installer, but in reality, it’s a downloader that can deliver any payload to an infected system.

It can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information. 

Bitdefender named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering.

"Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call," Bogden Botezatu, director of threat research and reporting at Bitdefender, told ZDNet. 

It is suggested that is possible that the malware would be detected by antivirus software, but many users downloading illegally cracked software have likely turned their protections off in order to access and install the download. 

 

The dangers of MosaicLoader

 

During their investigation, Bitdefender found that MosaicLoader threat actors used the following tactics to hinder researchers' malware analysis efforts and to increase their attacks' rate of success:

  • Mimicking file information that is similar to legitimate software
  • Code obfuscation with small chunks and shuffled execution order
  • Payload delivery mechanism infecting the victim with several malware strains

After being deployed on a victim's system, MosaicLoader downloads additional malware which can range from cryptocurrency miners and cookie stealers to Remote Access Trojans (RATs) and backdoors using "a complex chain of processes." The threat actors can harvest sensitive information such as credentials from compromised systems using RATs and similar malware with data theft capabilities. The stolen information can later be used to hijack victims' online accounts and use the gained access in identity theft scams or blackmail scams.

The researchers added that the campaign doesn't target a specific region. Due to its online advertising lures, it will attempt to infect any search engine users looking to download and install cracked software installers on their devices.

 

cyberMosaicLoadermalwareattacks
Share
Latest

Digital Magazine

Read Now
Read the latest Digital Magazine today!

Featured Articles

Resilience: Firms Fail to Grasp Cyber Financial Impact

Resilience and YouGov survey reveals 74% of mid to large UK businesses face cybercrime, while ransomware understanding lags behind data breach concerns

SonicWall and CrowdStrike Unite for SMB Security Service

SonicWall partners with endpoint protection specialist CrowdStrike to offer managed detection and response capabilities through managed service providers

FS-ISAC CISO Talks Cyber Strategies for Financial Providers

FS-ISAC CISO JD Denning explains the cyber strategies financial providers need to adopt in order to stay afloat in the wave of cyber attacks

Darktrace Reports 692% Surge in Black Friday Cyber Scams

Cyber Security

KnowBe4 Launches AI Agents to Counter Phishing Threats

Technology & AI

Gen Reports 614% Rise in Command Prompt Manipulation Scams

Cyber Security