A new piece Malware uses paid advertising in search results to target users looking for pirated software. It uses sophisticated techniques to hide its presence while dropping a Pandora’s box of malicious programs on victims’ systems.
Security company Bitdefender detailed the inner workings of the MosaicLoader software, mimicking legitimate game-related software to avoid detection.
Bitdefender’s report found that the first malware dropper was stored in archives purporting to offer cracked software installers. The company said cyber criminals appear to be buying pay-per-click (PPC) advertising related to pirated software and then inserting those links to the malware droppers into their ads.
The initial program acts as an installer for “malware sprayer” software, which it downloads from a command and control server (C2). This malware comes from a list of sources maintained by the criminals behind the software, including URLs used to host malware files and public Discord channels.
The malware the program installs contains simple ones Cookie thieves which can be used to hijack victims’ online sessions. You can exfiltrate Facebook credentials, allowing cyber criminals to take over a victim’s account, post posts that damage a victim’s reputation, or further spread malware.
Contains other malware that the dropper installs Cryptocurrency miners and the back door of Glupteba, a botnet program that launches multiple attacks on browsers and home routers and takes its instructions over the Bitcoin blockchain.
After downloading the first few files, the malware dropper uses Power Shell to exclude them from Windows Defender’s anti-malware scanner. It then registers an executable file in the Windows registry and installs a service to reinsert that entry when the user removes it.
BitDefender’s analysis shows that the malware uses many tricks to avoid detection. It creates folders that look like game directories to store its files and uses processes that look like they are software from. To run GPU Vendor NVIDIA.
The malware also disguises its activities by breaking its code into small pieces and jumping between them. It also uses large number math operations to generate data that the program needs, which makes its code look more like blocks of data. It also contains padding data that does nothing but add more noise to the code, making it harder for security researchers to troubleshoot.
In stark contrast to their code obfuscation, the malware authors hardcoded the URL of their C2 server. This enabled the researchers to determine the IP address of the server and link it to several other malware campaigns.
Top barriers and business strategies for digital sellers
This survey shows both challenges and new opportunities in 2021
Contactless with shoppers in a post-COVID world
Hybrid cloud for video surveillance
What it is and why you want one
DevOps: A look from inside the company
What drives DevOps, the impact of value stream management, and more