MosaicLoader Distributed via Ads in Search Results

Researchers at Bitdefender have discovered a new password-stealing malware that targets Windows users. The malware is delivered via ads that appear in the user's search results. This is not the first time we have seen this distribution method being used this year. At the beginning of June security firm, Morphisec revealed that several info-stealing malware strains were actively being distributed via Google pay per click (PPC) ads.

The malware discovered by Bitdefender has been named MosaicLoader and is more than just an info stealer targeting users’ passwords. The malware can also mine cryptocurrency and act as a dropper for other strains of malware in particular trojans. Based on the distribution method the threat actors are not targeting specific organizations or individuals.

Rather, the threat actors are targeting those searching for cracked or pirated versions of popular software packages. Given the nature of this distribution tactic, it is likely that personal computers will be most impacted by the attack campaign.

mosaicloader distributed through ad in Internet search results

The infection chain begins when a user attempts to download what they believe is the cracked software package. The attackers use filenames like mirc-7-64-keygen-plus-crack-fully-version-free-download, officefix-professional-6-122-crack-full-version-latest-2021, or setup-starter_v2.3.1 to further trick victims.

Once a user clicks on the link the infection process begins. The malware will attempt to hide malicious activity by adding exclusions to Windows Defender. Further, the malware will begin downloading and executing several processes that enable a variety of threats to be executed on the victim's machine. The malware will also attempt to mimic legitimate processes to help further evade detection.

In an instance seen by the malware attempted to mimic NVIDIA processes. The mimicked process does show that the license has been revoked indicating that it was either cryptographically insecure or abused by malware.

In a white paper published by Bitdefender noted,

“Researchers at Fortinet noticed similar processes that used the same C2 as MosaicLoader investigated by us. In that case, attackers asked them to remove detection on the file net-helper.exe. The trick used by the malicious actors was to create seemingly legitimate executable files including manifest information such as company name and description that was related to the file’s name. The attackers stuck to this approach with the newer droppers, mimicking executable files that belong to legitimate software. While the execution flow of the malware is somewhat similar to Warzone RAT, the C2 servers and the delivered payloads do not seem related to the actors behind Warzone”

Other Malware Deployed

One of the main dangers posed by MosaicLoader is what the researchers termed its ability to act as a malware sprayer. Put differently the malware can download and execute several other malware strains once the machine is compromised. One such malware strain is the trojan Glupteba which has been used in the past to hijack browsers and routers to further distribute malware. In the past, the trojan was spread by malicious ads itself but can now be spread via other malware gaining initial access to a machine.

Along with Glupteba, MosaicLoader can install XMRig which is used to mine cryptocurrency using the machines CPU resources, and several Facebook cookie stealers. As to the impact of the malware, victims become part of a network of infected devices that can be used to spread the malware to uninfected machines. It is concerning user privacy that the biggest impact may be felt.

The malware sprayer can deliver Facebook cookie stealers on the system that might exfiltrate login data, resulting in complete account takeovers, posts that can harm the reputation of businesses or persons, or posts that spread malware. Another significantly dangerous malware delivered through MosaicLoader is the Remote Access Trojans.

They can log keypresses on the system, record audio from the microphone and images from the webcam, capture screenshots, etc. With this private information, attackers can take over accounts, steal digital identities and attempt to blackmail victims.

Researchers believe that home users and those forced to work remotely may suffer the biggest impact of the campaign. Remote workers are seen as the most likely to look for cracked software packages that typically come with a large price tag or yearly license costs. The software may be required for work but the funds to purchase a license or software for a personal computer hastily turned into a workstation, have not been provided for.

In some circumstances, this could add a level of pressure that helps cause the employee to download a malicious package. It is also true that some people just want free software packages without absolutely needing them for work.

MosaicLoader should be a reminder to all that what is advertised as free rarely is. The use of cracked or pirated software, along with downloads of popular entertainment mediums, has long been a favored attack vector for hackers. To that extent Bitdefender advises,

“The best way to defend against MosaicLoader is to avoid downloading cracked software from any source. Besides being against the law, cybercriminals look to target and exploit users searching for illegal software. We recommend to always check the source domain of every download to make sure that the files are legitimate and to keep your antimalware and other security solutions up to date.”

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal