Article
Network Security

What is MosaicLoader malware and how does it work?

By Tilly Kenyon
July 22, 2021
undefined mins
MosaicLoader malware can be used to steal passwords, install cryptocurrency miners and deliver trojan malware, warn researchers from Bitdefender

A never-before-documented malware strain dubbed MosaicLoader is spreading worldwide. 

According to Bitdefender researchers who discovered the malware, the loader is spreading worldwide through paid ads in search results, targeting people looking for pirated software and games. It masquerades as a cracked software installer, but in reality, it’s a downloader that can deliver any payload to an infected system.

It can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information. 

Bitdefender named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering.

"Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call," Bogden Botezatu, director of threat research and reporting at Bitdefender, told ZDNet. 

It is suggested that is possible that the malware would be detected by antivirus software, but many users downloading illegally cracked software have likely turned their protections off in order to access and install the download. 

 

The dangers of MosaicLoader

 

During their investigation, Bitdefender found that MosaicLoader threat actors used the following tactics to hinder researchers' malware analysis efforts and to increase their attacks' rate of success:

  • Mimicking file information that is similar to legitimate software
  • Code obfuscation with small chunks and shuffled execution order
  • Payload delivery mechanism infecting the victim with several malware strains

After being deployed on a victim's system, MosaicLoader downloads additional malware which can range from cryptocurrency miners and cookie stealers to Remote Access Trojans (RATs) and backdoors using "a complex chain of processes." The threat actors can harvest sensitive information such as credentials from compromised systems using RATs and similar malware with data theft capabilities. The stolen information can later be used to hijack victims' online accounts and use the gained access in identity theft scams or blackmail scams.

The researchers added that the campaign doesn't target a specific region. Due to its online advertising lures, it will attempt to infect any search engine users looking to download and install cracked software installers on their devices.

 

cyberMosaicLoadermalwareattacks
Share
Share

Featured Articles

Tech Mahindra & Microsoft to host Cybersecurity Event: Texas

Join our exclusive roundtable with cybersecurity experts from Tech Mahindra and Microsoft. Gain insights, network, and stay ahead of evolving threats

Cyber security leaders unite to protect digitised healthcare

A new Advisory Council comprising global cyber security experts aims to tackle the rising threats faced by the digitalised healthcare sector

EC-Council highlights cloud security as primary concern

EC-Council's Certified CISO Hall of Fame Report reveals top cybersecurity concerns, highlighting need to tackle cloud security

Safeguarding the final frontier: Space-age cybersecurity

Cyber Security

Capita cyber attack exposes data breaches across industries

Cyber Security

AWS launches 2023 European Defence Accelerator for startups

Cloud Security