This new malware hides among Windows Defender exclusions to evade detection
Cyber security researchers on Tuesday lifted the veil on a previously undocumented strain of malware dubbed “MosaicLoader“that sets people apart from researching pirated software as part of a global campaign.
“The attackers behind MosaicLoader have created malware capable of delivering any payload to the system, which makes it potentially profitable as a delivery service,” Bitdefender researchers said in a statement. report shared with The Hacker News. “The malware arrives on target systems masquerading as cracked installers. It downloads a malware sprayer which obtains a list of URLs from the C2 server and downloads payloads from the links received.”
The malware was so named because of its sophisticated internal structure which is orchestrated to prevent reverse engineering and evade analysis.
Attacks involving MosaicLoader rely on a well-established malware distribution tactic called search engine optimization (SEO) poisoning, in which cybercriminals buy ad space in search engine results to strengthen their malicious links by so much better results when users search for terms related to pirated software.
In the event of a successful infection, the initial Delphi-based dropper – which masquerades as a software installer – acts as an entry point to retrieve next-stage payloads from a remote server and also adds local exclusions in Windows Defender for the two downloaded executables in order to thwart the virus scan.
It should be pointed out that such Windows Defender exclusions can be found in the registry keys listed below:
- File and Folder Exclusions – HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Paths
- File type exclusions – HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Extensions
- Process exclusions – HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Processes
One of the binaries, “appsetup.exe”, is designed to ensure persistence on the system, while the second executable, “prun.exe”, functions as a downloader for a spray module that can fetch and deploy a variety threats from a list of URLs, ranging from cookie thieves to cryptocurrency miners, and even more advanced implants like Glupteba.
“prun.exe” is also notable for its barrage of obfuscation and anti-return techniques that involve splitting chunks of code with random padding bytes, with the flow of execution designed to “skip those parts and only perform small significant pieces “.
Given the extensive capabilities of MosaicLoader, compromised systems can be co-opted into a botnet that the threat author can then exploit to spread multiple and evolving sets of sophisticated malware, including publicly available and custom malware, in order to obtain, extend and maintain unauthorized software. access to victims’ computers and networks.
“The best way to defend against MosaicLoader is to avoid downloading pirated software from any source,” the researchers said. “In addition to being against the law, cybercriminals seek to target and exploit users for illegal software,” adding that it is essential to “verify the source domain of each download to ensure that the files are legitimate “.