A never-before-documented Windows malware strain dubbed MosaicLoader is spreading worldwide, acting as a full-service malware-delivery platform that’s being used to infect victims with remote-access trojans (RATs), Facebook cookie stealers and other threats.
That’s according to Bitdefender researchers, who found that the loader is spreading indiscriminately worldwide through paid ads in search results, targeting people looking for pirated software and games. It masquerades as a cracked software installer, but in reality, it’s a downloader that can deliver any payload to an infected system.
“The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service,” researchers at Bitdefender explained, in an analysis released on Tuesday. “It downloads a malware sprayer that obtains a list of URLs from the command-and-control (C2) server and downloads the payloads from the received links.”
Researchers observed the malware sprayer delivering Facebook cookie stealers, which exfiltrate login data – this allows cyberattackers to take over accounts, create posts that spread malware or those that cause reputational damage.
MosaicLoader is also spreading the Glupteba backdoor and a variety of RATs for espionage purposes, they said, which can log keystrokes, record audio from the microphone and images from the webcam, capture screenshots and so on. Other observed threats so far include cryptocurrency miners, they said.
MosaicLoader: Between the Tiles
Once installed on a machine, the malware creates a complex chain of processes, according to Bitdefender. Its hallmark, researchers said, is a unique obfuscation technique that shuffles small code chunks around resulting in an intricate, mosaic-like structure – hence the name.
The first stage of the execution flow is the installation of a dropper, which mimics legitimate software: Most of the first-stage droppers that researchers analyzed have icons and “version information” that mirror those used for legitimate applications. In some cases, the dropper pretends to be a NVIDIA process, for instance.
The dropper makes contact with the C2 (the URL of the C2 is hardcoded as a string), then downloads a .ZIP file into the %TEMP% folder that contains two files required for the second stage: appsetup.exe, and prun.exe. These are extracted to an innocuous-sounding “PublicGaming,” folder in the C: directory, while the dropper also launches several instances of Powershell to add exclusions from Windows Defender for the folder and the specific file names.
Second Stage: appsetup.exe
The appsetup.exe process is used to attain persistence on the system. First, it adds a new registry value that points to the other component of the second stage, prun.exe. Then, it registers appsetup.exe as a service called “pubgame-updater” to run periodically, ensuring that even if the persistence registry key gets cleaned up, it adds it again.
Finally, it launches prun.exe.
Second Stage: prun.exe
The prun.exe file at first seems to be a “big blob of packed data,” researchers said – but reverse-engineering the file reveals a function call that transfers the execution of the malware from the main code section to a secondary one.
“The most prevalent [obfuscation] technique is the presence of jumps that break the code into small chunks,” Bitdefender researchers explained. “Some of these jumps are conditional, but the code above them makes sure the conditions are always satisfied.”
A second technique used by prun.exe is the use of mathematical operations with large numbers to obtain values required by the program.
“This technique makes code hard to follow while reverse-engineering, and it makes the section seem to contain only data,” they explained. “Between the code chunks are random filler bytes too. These bytes help maintain the impression that the section contains data. The code flow jumps over these parts and only executes the small, meaningful chunks.”
Combining these techniques allows the malware to scramble the order of the chunks to be executed, because the flow can jump around from piece to piece.
“It creates a mosaic-like structure where the code of the functions is not contiguous and pieces of different functionalities are intertwined,” researchers said. “Even if we untangle the jumps, we can’t obtain individual functions, as in some cases, the malware omits the use of call instructions, jumping directly to the desired address.”
Prun.exe eventually uses a process-hollowing technique to inject code into a newly created process. The goal is to communicate with the C2 to download the final stage: A malware sprayer.
Prun.exe periodically sends requests to the C2 for commands. But its conversations with the C2 consists of only two commands: “Download” and “command.” The first asks it to fetch and save a delivered payload to the disk. The second commands it to execute a specific payload.
Stage 3: Malware Sprayer
The malware sprayer’s objective is to download a list of malware from a list of URLs controlled by the attackers that host malware, and to execute them. Thus, it can deliver any malware on the system, Bitdefender researchers noted.
The URLs are varied; some have domain names that were specifically registered for hosting malware, while others are legitimate Discord URLs with files uploaded to a public channel, according to the firm.
How to Protect Against MosaicLoader
The campaign has no specific target countries or organizations, according to Bitdefender; it opportunistically infects victims who search for cracked software, and infections are spiking globally in the firm’s telemetry, it said.
“Systems infected with this malware become part of the network of machines that attackers can further infect with any piece of malware they want,” warned researchers.
The best way to defend against MosaicLoader is to avoid downloading cracked software from any source, since that’s the initial infection vector (for now). Users should also check the source domain of every download to make sure that the files are legitimate and keep security solutions up-to-date, researchers recommended.