MosaicLoader Malware Description
A threatening Windows malware loader that is spreading worldwide and is capable of delivering any payload to the compromised systems, virtually, has been uncovered by the infosec researchers. This malware delivery platform employs a combination of several novel obfuscation techniques that make detection, analysis, and reverse-engineering of the code extremely difficult. In practice, the loader splits its code into small chunks and jumps around between them in a mosaic-like pattern, hence the MosaicLoader name given to this threat.
The malware spreads via paid advertisements injected into users' search results. The advertisements appear to be trying to offer pirated software products or games. The threat disguises itself as a cracked installer for the product. Once it has infiltrated the user's device, MosaicLoader delivers a malware sprayer capable of delivering a wide range of payloads, depending on the specific goals of the attackers.
Researchers have observed MosaicLoader deploying Facebook cookie collectors that can exfiltrate login data and credentials, allowing the attackers to compromise the user's account and then exploit it for a variety of malicious purposes. The threat also has been used to deliver a backdoor named Glupteba, as well as several RAT (Remote Access Trojans) with cyberespionage capabilities. Through the RATs, the attackers can initiate keylogging routines, record audio from any microphone connected to the compromised device, generate images from webcams, take arbitrary screenshots and more. Among the threat delivered by MosaicLoader are also crypto-miners that can hijack the hardware resources of the system and be used to mine for a specific cryptocurrency.
During the initial stage, a dropper mimicking legitimate software is established on the breached device. These first-stage droppers carry 'version numbers' and icons imitating those of legitimate applications. In one observed instance, the dropper tried to pass itself as an NVIDIA process. The main task at this point is to fetch a ZIP archive containing two next-stage files from the Command-and-Control (C2, C&C) server. The archive is first downloaded to the %TEMP% folder and extracted in a newly created 'PublicGaming' folder.
Of the two files in the ZIP, 'appsetup.exe' is tasked with establishing the persistence mechanisms of the loader. It adds a new Registry value for the other component - 'prun.exe' and then registers itself as a service named 'pubgame-updater' that is set to run periodically. Doing so ensures that even if the registry values are deleted, the process will be activated afterward to recreate them.
The prun.exe is the main component of the MosaicLoader malware. It carries all of the obfuscation techniques that allow it to split its code into chunks and then scramble the order in which they are executed. The core task of this process is to reach out to the C2 server and fetch the malware sprayer component.
Once delivered to the system, the malware sprayer will obtain a list of URLs controlled by the attackers and host final malware threats intended for escalating the attack against the target. So far, the detected URLs are varied in nature. According to the researchers, some were created for hosting malware solely, while others are legitimate Discord URLs that point to files uploaded to a public channel. The sprayer will download and then execute the payloads.