Security News > 2021 > July > This New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection
Cybersecurity researchers on Tuesday lifted the lid on a previously undocumented malware strain dubbed "MosaicLoader" that singles out individuals searching for cracked software as part of a global campaign.
"The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service," Bitdefender researchers said in a report shared with The Hacker News.
"The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links."
The malware has been so named because of its sophisticated internal structure that's orchestrated to prevent reverse-engineering and evade analysis.
Attacks involving MosaicLoader rely on a well-established tactic for malware delivery called search engine optimization poisoning, wherein cybercriminals purchase ad slots in search engine results to boost their malicious links as top results when users search for terms related to pirated software.
Upon a successful infection, the initial Delphi-based dropper - which masquerades as a software installer - acts as an entry point to fetch next-stage payloads from a remote server and also add local exclusions in Windows Defender for the two downloaded executables in an attempt to thwart antivirus scanning.
News URL
Related news
- North Korean ScarCruft Exploits Windows Zero-Day to Spread RokRAT Malware (source)
- Russia targets Ukrainian conscripts with Windows, Android malware (source)
- New SteelFox malware hijacks Windows PCs using vulnerable driver (source)
- New CRON#TRAP Malware Infects Windows by Hiding in Linux VM to Evade Antivirus (source)