This New Malware Hides Itself Among Windows Defender Exclusions to Avoid Detection

On Tuesday, security experts confirmed the existence of a previously undocumented malware strain named “MosaicLoader,” which targets people looking for cracked software as part of a global campaign. 

Bitdefender researchers stated in a report shared with The Hacker News, “The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service.” 

“The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links.” 

The malware’s name comes from its complex internal structure, which is designed to avoid reverse engineering and escape investigation. MosaicLoader attacks employ a well-known malware delivery technique known as search engine optimization (SEO) poisoning, in which hackers buy ad slots in search engine results to elevate their harmful URLs to the top of the results when users search for keywords linked to pirated software. 

Following a successful infection, the Delphi-based dropper which masquerades as a software installer and serves as an entry point for retrieving next-stage payloads from a remote server and adding local exclusions in Windows Defender for the two downloaded executables in an effort to circumvent antivirus scanning. 

It’s important to note that such Windows Defender exclusions can be found in the registry keys listed below: 

1.File and folder exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsPaths 

2.File type exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsExtensions 

3.Process exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsProcesses 

One of the binaries, “appsetup.exe,” is designed to attain system persistence, while the second, “prun.exe,” is a downloader for a sprayer module that can obtain and deploy a range of attacks from a list of URLs, ranging from cookie stealers to cryptocurrency miners, and even more advanced implants like Glupteba. 

Because of MosaicLoader’s broad capabilities, compromised systems can be co-opted into a botnet, which the threat actor can then use to spread a variety of malicious software, including both publicly available and customized malware, to gain, expand, and manage unauthorized access to victim computers and networks. 

The researchers added, “The best way to defend against MosaicLoader is to avoid downloading cracked software from any source.”

Besides being against the law, cybercriminals look to target and exploit users searching for illegal software, adding it’s essential to check the source domain of every download to make sure that the files are legitimate.