New MosaicLoader Malware Used to Spread RATs

Security researchers have run into a previously unknown malware, called MosaicLoader. It is gaining traction across the world and acts as a fully featured malware delivery tool, used to spread Facebook cookie stealers and remote access trojans.

Researchers discovered that MosaicLoader is being spread using paid advertisements showing up in search results, primarily targeted at people looking for cracked or otherwise pirated software, as well as cracked computer games.

This is one of the oldest tricks in the book that has been around for ages - the victim downloads a file thinking it is a crack or a pre-cracked executable for the application or game, but in reality it's the malware's dropper or downloader, which the victim voluntarily executes on their system.

MosaicLoader is very flexible because it can deliver any final payload the hackers may need. The malware grabs a list of URLs from its C2 servers, then proceeds to download the desired payload from those links.

During the time samples of MosaicLoader were examined in a testing environment, researchers saw it downloading Facebook cookie stealers that scrape login details and can effectively allow for account takeovers, as well as remote access trojans that have a wide range of capabilities, including keylogging and recording media using the computer's microphone and camera.

Once the loader contacts its C2 servers, it downloads an archive file which contains the files responsible for the next stage of infection. The second stage of infection is carried out using two files, one of which is called appsetup.exe. The dropper has already added Windows Defender exceptions for the later-stage payloads, now appsetup.exe takes care of persistence, using registry edits.

Another file called prun.exe injects some of its obfuscated code into a new process that finally contacts the C2 servers and obtains the final payload.

Seeing how MosaicLoader is primarily distributed, when it comes to the original infection vector, the best and simplest way to steer clear of infection is to simply not search for pirated and cracked applications and games.

By Zaib
July 21, 2021
Computer Security
English
July 21, 2021
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Trojan

MosaicLoader Spreads RATs and Infostealers

Malware researchers have identified a new strain of malware, which goes under the name MosaicLoader. The threat is able to distribute additional payloads to its victims, and it has been typically used in combination... Read more

July 21, 2021
Malware

HackBoss Malware Spread Through Telegram

A group of cybercriminals is abusing the Telegram messaging service to propagate fake software, which poses as hacking tools meant to serve a wide range of purposes. It appears that the 'mastermind' behind the... Read more

April 19, 2021
Malware

Cybercriminals Use Coronavirus-Themed Spam to Spread Malware

The Wuhan coronavirus (also known as 2019-nCoV) is still dominating the news, and unfortunately, this is unlikely to change any time soon. The death toll rises at an alarming rate, and people are on the verge of... Read more

February 3, 2020
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.