New MosaicLoader Malware Used to Spread RATs
Security researchers have run into a previously unknown malware, called MosaicLoader. It is gaining traction across the world and acts as a fully featured malware delivery tool, used to spread Facebook cookie stealers and remote access trojans.
Researchers discovered that MosaicLoader is being spread using paid advertisements showing up in search results, primarily targeted at people looking for cracked or otherwise pirated software, as well as cracked computer games.
This is one of the oldest tricks in the book that has been around for ages - the victim downloads a file thinking it is a crack or a pre-cracked executable for the application or game, but in reality it's the malware's dropper or downloader, which the victim voluntarily executes on their system.
MosaicLoader is very flexible because it can deliver any final payload the hackers may need. The malware grabs a list of URLs from its C2 servers, then proceeds to download the desired payload from those links.
During the time samples of MosaicLoader were examined in a testing environment, researchers saw it downloading Facebook cookie stealers that scrape login details and can effectively allow for account takeovers, as well as remote access trojans that have a wide range of capabilities, including keylogging and recording media using the computer's microphone and camera.
Once the loader contacts its C2 servers, it downloads an archive file which contains the files responsible for the next stage of infection. The second stage of infection is carried out using two files, one of which is called appsetup.exe. The dropper has already added Windows Defender exceptions for the later-stage payloads, now appsetup.exe takes care of persistence, using registry edits.
Another file called prun.exe injects some of its obfuscated code into a new process that finally contacts the C2 servers and obtains the final payload.
Seeing how MosaicLoader is primarily distributed, when it comes to the original infection vector, the best and simplest way to steer clear of infection is to simply not search for pirated and cracked applications and games.