Debugging MosaicLoader, One Step at a Time
Bitdefender researchers have identified a new family of malware while investigating processes that add local exclusions in Windows Defender for specific file names.
We named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering. MosaicLoader is seemingly delivered through paid ads in search results designed to lure users looking for cracked software to infect their devices.
Once planted on the system, the malware creates a complex chain of processes and tries to download a variety of threats, from simple cookie stealers, crypto-currency miners to fully-fledged backdoors such as Glupteba.
This new whitepaper documents the execution flow of MosaicLoader along with some techniques employed by attackers, including:
- Mimicking file information that is similar to legitimate software
- Code obfuscation with small chunks and shuffled execution order
- Payload delivery mechanism infecting the victim with several malware strains
Mosaic predominantly targets victims looking for cracked software - we advise users that they do not download and install applications from untrusted websites.
Businesses should apply the IOCs to their EDR systems to ensure that employees working from home (who are higher risk for downloading cracked software) are not impacted.
More information is available in the whitepaper below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021
How We Tracked a Threat Group Running an Active Cryptojacking Campaign
July 14, 2021
A Note from the Bitdefender Labs Team on Ransomware and Decryptors
May 26, 2021
New Nebulae Backdoor Linked with the NAIKON Group
April 28, 2021
Good riddance, GandCrab! We’re still fixing the mess you left behind.
June 17, 2019