MosaicLoader is a new type of malware that uses search engine results to trick users into downloading its cracked software. Operators of this campaign are targeting users looking for pirated software, researchers at Bitdefender said.
In a report published today, Janos Gergo Szeles, Senior Security Researcher at Bitdefender, explains that MosaicLoader is a malware downloader that’s designed to deliver second-stage payloads to infected systems. The authors of MosaicLoader used various tactics to hinder the analysis of their attacks, among them, mimicking file information of legitimate software, code obfuscation, shuffled execution order, and infecting the victim with several malware strains. It also adds local exclusions in Windows Defender for its executables to fool security scanners.
“We named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering,” Janos Gergo Szeles said.
The campaign is not targeted at users in a specific region, but rather any user of a search engine. Attackers use social engineering techniques to trick them into downloading and installing unauthorized software.
They are camouflaging their droppers as legitimate software by using similar icons and including recognizable company names and descriptions in their metadata.
After installing it on a victim’s system, MosaicLoader launches a series of actions to install various types of malware, including cryptocurrency miners and RATs, and steal credentials.
“The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service,” Bitdefender researchers write. “The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links.”
MosaicLoader can easily exfiltrate sensitive information such as usernames and passwords, later to be used by attackers to hijack victims’ accounts and in identity theft scams or blackmail scams.
“The best way to defend against MosaicLoader is to avoid downloading cracked software from any source,” Szeles concluded. “Besides being against the law, cybercriminals look to target and exploit users searching for illegal software.”
Additional technical information and indicators of compromise can be found at the end of the whitepaper.