[BreachExchange] This New Malware Hides Itself Among Windows Defender Exclusions to Evade Detection

Tue Jul 20 10:55:52 EDT 2021

https://thehackernews.com/2021/07/this-new-malware-hides-itself-among.html

Cybersecurity researchers on Tuesday lifted the lid on a previously
undocumented malware strain dubbed "MosaicLoader" that singles out
individuals searching for cracked software as part of a global campaign.

"The attackers behind MosaicLoader created a piece of malware that can
deliver any payload on the system, making it potentially profitable as a
delivery service," Bitdefender researchers said in a report shared with The
Hacker News. "The malware arrives on target systems by posing as cracked
installers. It downloads a malware sprayer that obtains a list of URLs from
the C2 server and downloads the payloads from the received links."

The malware has been so named because of its sophisticated internal
structure that's orchestrated to prevent reverse-engineering and evade
analysis.

Attacks involving MosaicLoader rely on a well-established tactic for
malware delivery called search engine optimization (SEO) poisoning, wherein
cybercriminals purchase ad slots in search engine results to boost their
malicious links as top results when users search for terms related to
pirated software.

Upon a successful infection, the initial Delphi-based dropper — which
masquerades as a software installer — acts as an entry point to fetch
next-stage payloads from a remote server and also add local exclusions in
Windows Defender for the two downloaded executables in an attempt to thwart
antivirus scanning.

windows computer malware
It's worth pointing out that such Windows Defender exclusions can be found
in the registry keys listed below:

   - File and folder exclusions -
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths
   - File type exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
   Defender\Exclusions\Extensions
   - Process exclusions - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
   Defender\Exclusions\Processes

One of the binaries, "appsetup.exe," is conceived to achieve persistence on
the system, whereas the second executable, "prun.exe," functions as a
downloader for a sprayer module that can retrieve and deploy a variety of
threats from a list of URLs, ranging from cookie stealers to cryptocurrency
miners, and even more advanced implants like Glupteba.

"prun.exe" is also notable for its barrage of obfuscation and anti-reverse
techniques that involve separating code chunks with random filler bytes,
with the execution flow designed to "jump over these parts and only execute
the small, meaningful chunks."

Given MosaicLoader's wide-ranging capabilities, compromised systems can be
co-opted into a botnet that the threat actor can then exploit to propagate
multiple and evolving sets of sophisticated malware, including both
publicly available and customized malware, to obtain, expand, and maintain
unauthorized access to victim computers and networks.

"The best way to defend against MosaicLoader is to avoid downloading
cracked software from any source," the researchers said. "Besides being
against the law, cybercriminals look to target and exploit users searching
for illegal software," adding it's essential to "check the source domain of
every download to make sure that the files are legitimate."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210720/3b545b47/attachment.html>