What is MosaicLoader malware and how does it work?

A never-before-documented malware strain dubbed MosaicLoader is spreading worldwide. 

According to Bitdefender researchers who discovered the malware, the loader is spreading worldwide through paid ads in search results, targeting people looking for pirated software and games. It masquerades as a cracked software installer, but in reality, it’s a downloader that can deliver any payload to an infected system.

It can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information. 

Bitdefender named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering.

"Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call," Bogden Botezatu, director of threat research and reporting at Bitdefender, told ZDNet. 

It is suggested that is possible that the malware would be detected by antivirus software, but many users downloading illegally cracked software have likely turned their protections off in order to access and install the download. 

The dangers of MosaicLoader

During their investigation, Bitdefender found that MosaicLoader threat actors used the following tactics to hinder researchers' malware analysis efforts and to increase their attacks' rate of success:

• Mimicking file information that is similar to legitimate software
• Code obfuscation with small chunks and shuffled execution order
• Payload delivery mechanism infecting the victim with several malware strains

After being deployed on a victim's system, MosaicLoader downloads additional malware which can range from cryptocurrency miners and cookie stealers to Remote Access Trojans (RATs) and backdoors using "a complex chain of processes." The threat actors can harvest sensitive information such as credentials from compromised systems using RATs and similar malware with data theft capabilities. The stolen information can later be used to hijack victims' online accounts and use the gained access in identity theft scams or blackmail scams.

The researchers added that the campaign doesn't target a specific region. Due to its online advertising lures, it will attempt to infect any search engine users looking to download and install cracked software installers on their devices.