The newly documented code is a full-service malware-delivery threat that is spreading indiscriminately globally through paid search ads.
A never-before-documented Windows malware strain dubbed Mosaic Loader is spreading worldwide, acting as a full-service malware-delivery platform that is being used to infect victims with remote-access trojans (RATs), Facebook cookie stealers & other threats.
That is according to Bitdefender researchers, who found that the loader is spreading indiscriminately worldwide through paid ads in search results, targeting people looking for pirated software & games. It pretend to be as a cracked software installer, but in reality, it is a downloader that can deliver any payload to an infected system.
“The attackers behind Mosaic Loader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service,” researchers at Bitdefender explained, in an analysis released on Tues. “It downloads a malware sprayer that obtains a list of URLs from the command-&-control (C2) server & downloads the payloads from the received links.”
Facebook Cookie Stealers
Researchers observed the malware sprayer delivering Facebook cookie stealers, which exfiltrate login data – this allows cyber-attackers to take over accounts, create posts that spread malware or those that cause reputational damage.
Mosaic Loader is also spreading the Glupteba backdoor & a variety of RATs for espionage purposes, they stated, which can log keystrokes, record audio from the microphone & images from the webcam, capture screenshots etc. Other observed threats so far include cryptocurrency miners, they revealed.
Small Code Chunks
When installed on a machine, the malware creates a complex chain of processes, according to Bitdefender. Its hallmark, researchers commented, is a unique technique that moves small code chunks around resulting in an intricate, mosaic-like structure – hence the name.
The 1st stage of the execution flow is the installation of a dropper, which mimics legitimate software: Most of the 1st-stage droppers that researchers analysed have icons & “version information” that mirror those used for legitimate applications. In some cases, the dropper pretends to be a NVIDIA process, for instance.
The dropper makes contact with the C2 (the URL of the C2 is hardcoded as a string), then downloads a .ZIP file into the %TEMP% folder that contains 2 files required for the 2nd stage: appsetup.exe, & prun.exe. These are extracted to an innocent sounding “Public Gaming,” folder in the C: directory, while the dropper also launches instances of Powershell to add exclusions from Windows Defender for the folder & the specific file names.
2nd Stage: appsetup.exe
The appsetup.exe process is used to attain persistence on the system.1st, it adds a new registry value that points to the other component of the 2nd stage, prun.exe. Then, it registers appsetup.exe as a service called “pubgame-updater” to run periodically, ensuring that even if the persistence registry key gets cleaned up, it adds it again.
Finally, it launches prun.exe.
2nd Stage: prun.exe
The prun.exe file at 1st seems to be a “big blob of packed data,” researchers observed – but reverse-engineering the file reveals a function call that transfers the execution of the malware from the main code section to a secondary one.
“The most prevalent obfuscation technique is the presence of jumps that break the code into small chunks,” Bitdefender researchers explained. “Some of these jumps are conditional, but the code above them makes sure the conditions are always satisfied.”
A 2nd technique used by prun.exe is the use of mathematical operations with large numbers to obtain values required by the program.
“This technique makes code hard to follow while reverse-engineering, & it makes the section seem to contain only data,” they explained. “Between the code chunks are random filler bytes too. These bytes help maintain the impression that the section contains data. The code flow jumps over these parts & only executes the small, meaningful chunks.”
Combining these techniques allows the malware to scramble the order of the chunks to be executed, because the flow can jump from piece to piece.
“It creates a mosaic-like structure where the code of the functions is not contiguous and pieces of different functionalities are intertwined,” researchers explained. “Even if we untangle the jumps, we can’t obtain individual functions, as in some cases, the malware omits the use of call instructions, jumping directly to the desired address.”
Prun.exe eventually uses a process-hollowing technique to inject code into a newly created process. The goal is to communicate with the C2 to download the final stage: A malware sprayer.
Prun.exe periodically sends requests to the C2 for commands. But its conversations with the C2 consists of only 2 commands: “Download” & “command.” The 1st asks it to fetch & save a delivered payload to the disk. The 2nd commands it to execute a specific payload.
Stage 3: Malware Sprayer
The malware sprayer’s objective is to download a list of malware from a list of URLs controlled by the attackers that host malware, & to execute them. Thus, it can deliver any malware on the system, Bitdefender researchers noted.
The URLs are varied; some have domain names that were specifically registered for hosting malware, while others are legitimate Discord URLs with files uploaded to a public channel, according to the firm.
How to Protect
The campaign has no specific target countries or organisations, according to Bitdefender; it opportunistically infects victims who search for cracked software, & infections are spiking globally in the firm’s telemetry, it outlined.
“Systems infected with this malware become part of the network of machines that attackers can further infect with any piece of malware they want,” warned researchers.
The best way to defend against Mosaic Loader is to avoid downloading cracked software from any source, since that is the initial infection vector for now. Users should also check the source domain of every download to make sure that the files are legitimate & keep security solutions up-to-date, researchers recommended.