Jump to content
  • This New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection

    aum

    • 378 views
    • 3 minutes
     Share


    • 378 views
    • 3 minutes

    This New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection

     

    Cybersecurity researchers on Tuesday lifted the lid on a previously undocumented malware strain dubbed "MosaicLoader" that singles out individuals searching for cracked software as part of a global campaign.

     

    "The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service," Bitdefender researchers said in a report shared with The Hacker News. "The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links."

     

    computer-virus.jpg

     

    The malware has been so named because of its sophisticated internal structure that's orchestrated to prevent reverse-engineering and evade analysis.

     

    Attacks involving MosaicLoader rely on a well-established tactic for malware delivery called search engine optimization (SEO) poisoning, wherein cybercriminals purchase ad slots in search engine results to boost their malicious links as top results when users search for terms related to pirated software.

     

    Upon a successful infection, the initial Delphi-based dropper — which masquerades as a software installer — acts as an entry point to fetch next-stage payloads from a remote server and also add local exclusions in Windows Defender for the two downloaded executables in an attempt to thwart antivirus scanning.

     

    windows-malware.jpg

     

    It's worth pointing out that such Windows Defender exclusions can be found in the registry keys listed below:

     

    • File and folder exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths

     

    • File type exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Extensions

     

    • Process exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes


    One of the binaries, "appsetup.exe," is conceived to achieve persistence on the system, whereas the second executable, "prun.exe," functions as a downloader for a sprayer module that can retrieve and deploy a variety of threats from a list of URLs, ranging from cookie stealers to cryptocurrency miners, and even more advanced implants like Glupteba.

     

    "prun.exe" is also notable for its barrage of obfuscation and anti-reverse techniques that involve separating code chunks with random filler bytes, with the execution flow designed to "jump over these parts and only execute the small, meaningful chunks."

     

    malware-map.jpg

     

    Given MosaicLoader's wide-ranging capabilities, compromised systems can be co-opted into a botnet that the threat actor can then exploit to propagate multiple and evolving sets of sophisticated malware, including both publicly available and customized malware, to obtain, expand, and maintain unauthorized access to victim computers and networks.

     

    "The best way to defend against MosaicLoader is to avoid downloading cracked software from any source," the researchers said. "Besides being against the law, cybercriminals look to target and exploit users searching for illegal software," adding it's essential to "check the source domain of every download to make sure that the files are legitimate."

     

    Source

    • Like 3

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...