MosaicLoader - New Malware Hides Between Windows Defender Exclusions
Reading Time: 2 minutes

MosaicLoader a new malware hides between Windows Defender Exclusion to evade detection. Researchers at Bitdefender discovered a MosaicLoader, a new malware that can deliver any payload on the system, making it potentially profitable as a delivery service.

The researchers in a report said, “The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links.”

MosaicLoader malware has a sophisticated internal structure that’s adapted to prevent reverse-engineering and evade analysis. The malware relies on ‘search engine optimization(SEO) poisoning to carry out its attacks. The bad actors purchase ad slots in search engine results to boost their malicious links as top results when users search for terms related to pirated software.

Once infected it poses as a software installer with the initial Delphi-based dropper. This acts as an entry point to fetch new payloads from a remote server. It also adds local exclusions in Windows Defender for the two downloaded executables in an attempt to thwart antivirus scanning.

Windows Defender exclusions can be found in the registry keys listed below:

  • File and folder exclusions – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
  • File type exclusions – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
  • Process exclusions – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes

It conceived one of the binaries “appsetup.exe” to achieve persistence on the system. While the second executable, “prun.exe” functions as a downloader for a sprayer module. This can retrieve and deploy a number of threats from a list of URLs, ranging from cookie stealers to cryptocurrency miners, and even more advanced implants like Glupteba.

“Prun.exe” is known for its volley of obfuscation and anti-reverse techniques. Using these techniques it separates code chunks with random filler bytes. While the execution flow is designed to “jump over these parts and only execute the small, meaningful chunks.”

MosaicLoader is loaded with a number of capabilities that make it possible to turn compromised systems into botnets. These can be exploited to propagate multiple and evolving sets of sophisticated malware. This includes both publicly available and customized malware, to obtain, expand, and maintain unauthorized access to victim computers and networks.

The researchers at Bitdefender further added, “The best way to defend against MosaicLoader is to avoid downloading cracked software from any source. Besides being against the law, cybercriminals look to target and exploit users searching for illegal software,” adding it’s essential to “check the source domain of every download to make sure that the files are legitimate.”

Related Articles:

DOJ charges 4 Chinese Nationals with State-Backed Worldwide Hacking Campaign
Russian Cybersecurity Firms Added To Trade Blacklist By the US Commerce Department
5 Tips to Create Own Routes in Google Maps with Google My Maps