fbpx

Cybersecurity researchers lifted the lid on a previously undocumented malware strain dubbed, “MosaicLoader” that singles out individuals searching for cracked software as a part of a global campaign.

The malware strain installs a Windows utility on infected systems to hijack search queries and redirect traffic back to its own server. The researchers have discovered that the attacks appear largely targeted at individuals looking for cracked software through Google and Bing, with other targets including various Yahoo sites.

“MosaicLoader” has been active since early 2017, though has not been flagged by any antivirus products. The malware reportedly makes itself difficult to remove by utilizing a custom packer, and it remains unclear who is behind the campaign or what their motivations are.

Attackers behind “MosaicLoader” are using an executable file that has been carefully generated to avoid detection by traditional antivirus packages.

The file is installed as a Windows service and targets queries to Google, Bing, and Yahoo search engines. When victims search for keywords such as “cracked”, “serial”, and “keygen” the malicious server replies to the search request with an ad containing obfuscated JavaScript code.

When the victim clicks on the ad and visits a malicious website, the script loads additional files from remote servers hosted in Ukraine and Poland, including one that fetches an executable file from a server in Los Angeles.

“MosaicLoader” is written in C++ and uses the “nsis.h”, “libnss{tools,2}”, and “libgcc_s.1” libraries, which are all available on Windows systems. The malware also makes heavy use of Microsoft’s Network Security Services (NSS) library, Version 3.16 at least.

The malware connects to a remote server via TCP port 4226 using the encrypted channel TLS/SSL using a self-signed certificate issued to itself by DomainKeys Identified Mail (DKIM). It is unclear how attackers obtained this certificate; it most likely came from a legitimate partner on the black market that used stolen login credentials as credentials for signing various certificates.

The malware connects to a second server via HTTP port 80, and uses TLS/SSL for the connection.

The malware upgrades itself by downloading a new executable file from one of two remote servers in Ukraine and Poland. Both servers host multiple other files that provide further instructions to the malware program on how to update itself.

“MosaicLoaders” main task is to redirect potential victims who type specific search terms into their search engines to advertisements containing malicious JavaScript code. The malcode fetches this JavaScript from different domains and servers, which are not hosted on the same IP addresses hosting the main server; at least not at first glance.

In order to prevent reverse engineering, the malware implements a number of anti-reversing techniques. The sample analyzed by CrowdStrike has been packed with a custom packer. The packer utilized is not currently detected by any antivirus solutions, though other samples may be detected depending on the antivirus software used.

The custom packer makes it difficult to identify the exact program code being executed by the malware in an effort to overcome reverse engineering efforts. Packers are not uncommon among malicious software as they help to protect against analysis and reverse engineering techniques, and are frequently used by well-known malware families such as Lazarus Group’s ROKRAT malware or other well-known families such as BlackEnergy and Hermes.

The malware connects to a remote server via TCP port 4226 using the encrypted channel TLS/SSL using a self-signed certificate issued to itself by DomainKeys Identified Mail (DKIM). It is unclear how attackers obtained this certificate; it most likely came from a legitimate partner on the black market that used stolen login credentials as credentials for signing various certificates.

The malware connects to a second server via HTTP port 80, and uses TLS/SSL for the connection.

The malware upgrades itself by downloading a new executable file from one of two remote servers in Ukraine and Poland. Both servers host multiple other files that provide further instructions to the malware program on how to update itself.

The threat actors behind “MosaicLoader” have not been identified, the actors appear to be rather advanced and well-funded. It is possible that they have been monitoring users for a long time for potential targets for their malware campaigns.

While we are not yet certain who is behind this campaign, we recommend that you take the necessary precautions to protect your computers against potential threats on a global level.

Interested in reading more about malware like MosaicLoader? Trickbot Malware Returns to Spy on its Victims discusses malware, dubbed ‘Trickbot’ that is affecting millions today.

Liquid Video Technologies Logo, zero trust, Security, Video Surveillance, Greenville South Carolina, cybersecurity, MosaicLoader

If you would like liquidvideotechnologies.com to discuss developing your Home Security System, Networking, Access ControlFire, IT consultant, or PCI Compliance, please do not hesitate to call us at 864-859-9848 or you can email us at deveren@liquidvideotechnologies.com.