1 min read

Debugging MosaicLoader, One Step at a Time

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Debugging MosaicLoader, One Step at a Time

Bitdefender researchers have identified a new family of malware while investigating processes that add local exclusions in Windows Defender for specific file names.

We named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering. MosaicLoader is seemingly delivered through paid ads in search results designed to lure users looking for cracked software to infect their devices.

Once planted on the system, the malware creates a complex chain of processes and tries to download a variety of threats, from simple cookie stealers, crypto-currency miners to fully-fledged backdoors such as Glupteba.

This new whitepaper documents the execution flow of MosaicLoader along with some techniques employed by attackers, including:

  • Mimicking file information that is similar to legitimate software
  • Code obfuscation with small chunks and shuffled execution order
  • Payload delivery mechanism infecting the victim with several malware strains

Recommendations

Mosaic predominantly targets victims looking for cracked software - we advise users that they do not download and install applications from untrusted websites.

Businesses should apply the IOCs to their EDR systems to ensure that employees working from home (who are higher risk for downloading cracked software) are not impacted.

More information is available in the whitepaper below. An up-to-date and complete list of indicators of compromise is available to Bitdefender Advanced Threat Intelligence users.

Download the whitepaper

tags


Author



Right now

Top posts

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign

December 06, 2022

1 min read
Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild

October 05, 2022

1 min read
A Red Team Perspective on the Device42 Asset Management Appliance

A Red Team Perspective on the Device42 Asset Management Appliance

August 10, 2022

1 min read
Vulnerabilities Identified in Wyze Cam IoT Device

Vulnerabilities Identified in Wyze Cam IoT Device

March 29, 2022

1 min read
New FluBot and TeaBot Global Malware Campaigns Discovered

New FluBot and TeaBot Global Malware Campaigns Discovered

January 26, 2022

10 min read
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately

December 10, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

EyeSpy - Iranian Spyware Delivered in VPN Installers EyeSpy - Iranian Spyware Delivered in VPN Installers
Janos Gergo SZELESBogdan BOTEZATU
2 min read
Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor Bitdefender Partnership with Law Enforcement Yields MegaCortex Decryptor
Bitdefender

January 05, 2023

1 min read
BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign
Adrian SCHIPORVictor VRABIE
1 min read