[MART] - Daily Diary #308 - MosaicLoader Desguised As Cracked Software Via Search Engine Ads

CTAS-MAT ctas-mat at appgate.com
Tue Jul 20 20:07:07 UTC 2021

I hope everyone is doing well!

Below is the entry for today.

07/20/2021 - Diary entry #308:

A new malware strain was spotted by Bitdefender researchers, delivered in search engines through ads. The threat targets users searching for cracked software, and the malware is served disguised as download links. After infecting the victim's machine, the loader downloads a payload from a C2 server. Several types of malware are then deployed this way, from cryptocurrency miners, cookies and Facebook stealers, to RATs and backdoors like the Glupteba.

Before executing the payloads, the MosaicLoader creates a chain of processes and adds their executables into Microsoft Defender exceptions list via powershell commands. Many downloaders from this threat are using revoked digital signatures, icons and version infos similar to legitimate softwares.

About its internals, the MosaicLoader has several anti-debugging techniques, and the code is very obfuscated, difficulting the analysis. The intertwined chunks of codes create mosaic-like structure, hence the name. The malware uses known anti-analysis techniques, like Process Hollowing — spotted in our Daily Diaries #240, #203 and among others — to inject the payload and additional modules into a trusted process.

This new threat has a big impact on privacy regarding its variety of payloads and very profitable as a delivery malware service. To avoid this threat, it's recommended to be careful on downloading software from any untrusted source.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>

Felipe Tarijon de Almeida
Malware Analyst

E: felipe.tarijon at appgate.com<mailto:felipe.duarte at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20210720/673bf634/attachment.html>

More information about the MART mailing list