What is MosaicLoader malware and how does it work?

MosaicLoader malware can be used to steal passwords, install cryptocurrency miners and deliver trojan malware, warn researchers from Bitdefender

A never-before-documented malware strain dubbed MosaicLoader is spreading worldwide. 

According to Bitdefender researchers who discovered the malware, the loader is spreading worldwide through paid ads in search results, targeting people looking for pirated software and games. It masquerades as a cracked software installer, but in reality, it’s a downloader that can deliver any payload to an infected system.

It can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information. 

Bitdefender named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering.

"Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call," Bogden Botezatu, director of threat research and reporting at Bitdefender, told ZDNet. 

It is suggested that is possible that the malware would be detected by antivirus software, but many users downloading illegally cracked software have likely turned their protections off in order to access and install the download. 

 

The dangers of MosaicLoader

 

During their investigation, Bitdefender found that MosaicLoader threat actors used the following tactics to hinder researchers' malware analysis efforts and to increase their attacks' rate of success:

  • Mimicking file information that is similar to legitimate software
  • Code obfuscation with small chunks and shuffled execution order
  • Payload delivery mechanism infecting the victim with several malware strains

After being deployed on a victim's system, MosaicLoader downloads additional malware which can range from cryptocurrency miners and cookie stealers to Remote Access Trojans (RATs) and backdoors using "a complex chain of processes." The threat actors can harvest sensitive information such as credentials from compromised systems using RATs and similar malware with data theft capabilities. The stolen information can later be used to hijack victims' online accounts and use the gained access in identity theft scams or blackmail scams.

The researchers added that the campaign doesn't target a specific region. Due to its online advertising lures, it will attempt to infect any search engine users looking to download and install cracked software installers on their devices.

 

Share

Featured Articles

ICYMI: New Age of the CISO and cybersecurity trends for 2023

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Kingfisher chooses Google Cloud as catalyst for growth

Google Cloud will support Kingfisher's digital ambitions with a range of solutions, from infrastructure to data analytics.

ICYMI: Cyber predictions for 2023 and trouble in paradise

A week is a long time in cybersecurity, so here’s a round-up of the Cyber Magazine articles that have been starting conversations around the world

Osirium shares its cyber predictions for 2023

Cyber Security

ICYMI: Unloved emails and cybersecurity worth $500bn by 2030

Cyber Security

Cyber security market anticipated to reach $500bn by 2030

Cyber Security