A new family of malware has been discovered by researchers at Bitdefender. The researchers were investigating processes that add local excursions in Windows defender for specific file names. A previously unknown form of malware delivered through ads in search results is being utilized to install cryptocurrency miners, steal passwords, and deliver additional trojan malware. Cybersecurity researchers at Bitdefender coined the new family of malware as MosaicLoader. The researchers dubbed the malware MosaicLoader due to its complex internal structure that could easily baffle malware analysts and prevent reverse-engineering of its design. The new malware has infected several targets around the globe as it attempts to infect as many systems as possible along the way.
Further investigation revealed that MosaicLoader can deliver any payload to the compromised system with a downloader. It can also be used to install a wide range of varying malware to an infected system, such as Glupteba- malware which can create a backdoor on a system to steal important information namely, usernames, passwords, and banking details. Unlike many other types of malware distributed by exploiting unpatched software vulnerabilities or distributed in phishing campaigns, MosaicLoader is delivered through ads.
How does the MosaicLoader malware work? When people search for cheaper options of popular software, links to the malware can appear at the top of their search results. Most users by nature look at these top search results, believing them to be genuine, and can unknowingly click on malware. With automated systems responsible for buying and serving advertising space, it is more than likely that no one in the process knows these malicious ads are displayed.
The researchers believe people working from home are more likely to download alternative versions of popular software in comparison to the workplace. Systems infected with MosaicLoader become delivery points that a cybercriminal can use to further infect the machines. During their investigation, the security researchers noted that the payloads delivered in the second stage are responsible for downloading and running even more malicious files. These forms of malware can vary from cryptocurrency miners to cookie stealers and advanced threats like Glupteba.
With MosaicLoader’s capabilities, the victim’s privacy is certainly at stake. The additional malware deployed by MosaicLoader may include Facebook cookie stealers that can compromise login data, resulting in a complete account and identity takeover. This type of malware can post information or status updates that may hurt persons’ or businesses’ reputations or even deliver posts that can spread malware to others. The newly discovered malware can also deliver remote malware to control a webcam and take screenshots. With sensitive information in hand, attackers can take over victim’s accounts, compromise online identities, and blackmail victims with their own personal information.
How to defend against MosaicLoader?
Users can best defend against MosaicLoader by avoiding downloading “too good to be true” versions of their favorite software from any source. Verify the source or platform and avoid cracked software before downloading. Be very careful, or avoid, clicking on advertised links in your preferred search engine. Besides going against the law, hackers find their easiest targets in those looking for illegal software. Always check the source domain of every download to ensure that the files and software are authentic. In addition, keep security solutions and anti-malware up to date.
Bitdefender report: https://labs.bitdefender.com/blog/labs/debugging-mosaicloader-one-step-at-a-time
For more news and updates, visit https://blog.excellimatrix.com/
You can also reach us out on Facebook, & LinkedIn or Contact us