Adversaries often target users with various phishing tactics. But sometimes, unwitting users fall into a hacker’s trap, revealing their private data to attackers. Cybersecurity researchers from Bitdefender recently identified a new malware variant that targets users who are looking online for pirated software.
Tracked as MosaicLoader, the malware is distributed via paid advertisements in search results, specially crafted to trick users into clicking the malicious ads link and infect their devices. Once deployed on the system, MosaicLoader creates a complex chain of processes and automatically downloads additional payloads like cookie stealers, crypto-currency miners, and backdoors like Glupteba. Glupteba is a malware Trojan with advanced features that could turn the infected system into a remotely controlled bot and steal personal information.
MosaicLoader’s Infection Flow
Initially, the MosaicLoader malware adds local exclusions in Windows Defender for legitimate-looking filenames to evade security detections. The malware then deploys additional malware payloads to gain persistent access to the targeted device. The execution flow of MosaicLoader include:
Creating a fake software file > Code obfuscation with execution order > Auto-downloading with several malware strains.
Impact
In addition to MosaicLoader, Bitdefender researchers also identified a malware sprayer distributing Facebook cookie stealers to access users’ login cookies from browsers. This allows threat actors to take over victims’ Facebook accounts, deploy malware, and steal identities. They even leveraged a variety of RATs like AsyncRAT and Powershell Dropper for their cyberespionage campaigns to obtain users’ log keystrokes, audio from the microphone, and images from the infected system.
“Due to MosaicLoader’s capabilities, user privacy may be severely affected. The malware sprayer can deliver Facebook cookie stealers on the system that might exfiltrate login data, resulting in complete account takeovers, posts that can harm the reputation of businesses or persons, or posts that spread malware. Another significantly dangerous malware delivered through MosaicLoader is the Remote Access Trojans. They can log keypresses on the system, record audio from the microphone and images from the webcam, capture screenshots, etc. With this private information, attackers can take over accounts, steal digital identities and attempt to blackmail victims,” Bitdefender said.
Indicators of Compromise
URLs
t1.cloudshielding.xyz
c1.checkblanco.xyz
s1.chunkserving.com
m1.uptime66.com
5a014483-ff8f-467e-a260-28565368d9be.certbooster.com
0129e158-aa17-4900-99a6-30f4a49bd0a4.nordlt.com
Integral.hacking101.net
IP Address
195.181.169.92
Mitigation
While the MosaicLoader campaign has not targeted any specific countries or sectors, the attackers are mostly targeting personal computers.
To prevent MosaicLoader infections:
- Organizations should apply the indicators of compromises (IOCs) to endpoint detection and response (EDR) systems
- Ensure employees avoid downloading pirated software or applications
- Always download from authentic sources
- Keep devices updated
