Researchers lifted the lid on a previously undocumented malware strain dubbed MosaicLoader that singles out individuals searching for cracked software as part of a global campaign. The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service. Also capable of evading analysis and reverse engineered

The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links.

windows computer malware

Attacks involving MosaicLoader rely on a tactic for malware delivery called search engine optimization (SEO) poisoning, wherein cybercriminals purchase ad slots in search engine results to boost their malicious links as top results when users search for terms related to pirated software.

Once on successful infection, the firstly Delphi-based dropper which masquerades as a software installer acts as an entry point to fetch next-stage payloads from a remote server and also add local exclusions in Windows Defender for the two downloaded executables in an attempt to thwart antivirus scanning.

Windows Defender exclusions can be found in the registry keys listed below:

  • File and folder exclusions – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
  • File type exclusions – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions
  • Process exclusions – HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes

One of the binaries, “appsetup.exe,” is conceived to achieve persistence on the system, whereas the second executable, “prun.exe,” functions as a downloader for a sprayer module that can retrieve and deploy a variety of threats from a list of URLs, ranging from cookie stealers to cryptocurrency miners, and even more advanced implants like Glupteba.

malware map live

MosaicLoader’s wide-ranging capabilities, compromised systems can be co-opted into a botnet that the threat actor can then exploit to propagate multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand, and maintain unauthorized access to victim computers and networks.

Use only legitimate softwares and avoid using cracked software to escape from MosaicLoader kind of attacks.