On Tuesday, security experts confirmed the existence of a previously undocumented malware strain named "MosaicLoader," which targets people looking for cracked software as part of a global campaign. Bitdefender researchers stated in a report shared with The Hacker News, "The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service." "The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links." The malware's name comes from its complex internal structure, which is designed to avoid reverse engineering and escape investigation. MosaicLoader attacks employ a well-known malware delivery technique known as search engine optimization (SEO) poisoning, in which hackers buy ad slots in search engine results to elevate their harmful URLs to the top of the results when users search for keywords linked to pirated software. Following a successful infection, the Delphi-based dropper which masquerades as a software installer and serves as an entry point for retrieving next-stage payloads from a remote server and adding local exclusions in Windows Defender for the two downloaded executables in an effort to circumvent antivirus scanning. It's important to note that such Windows Defender exclusions can be found in the registry keys listed below: 1.File and folder exclusions - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsPaths 2.File type exclusions - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsExtensions 3.Process exclusions - HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsProcesses One of the binaries, "appsetup.exe," is designed to attain system persistence, while the second, "prun.exe," is a downloader for a sprayer mo ..
Support the originator by clicking the read the rest link below.
