Home Malware This New Malware Hides Itself Among Windows Defender Exclusions to Avoid Detection...

This New Malware Hides Itself Among Windows Defender Exclusions to Avoid Detection – E Hacking News


 

On Tuesday, security experts confirmed the existence of a previously undocumented malware strain named “MosaicLoader,” which targets people looking for cracked software as part of a global campaign. 

Bitdefender researchers stated in a report shared with The Hacker News, “The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service.” 

“The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links.” 

The malware’s name comes from its complex internal structure, which is designed to avoid reverse engineering and escape investigation.
MosaicLoader attacks employ a well-known malware delivery technique known as search engine optimization (SEO) poisoning, in which hackers buy ad slots in search engine results to elevate their harmful URLs to the top of the results when users search for keywords linked to pirated software. 

Following a successful infection, the Delphi-based dropper which masquerades as a software installer and serves as an entry point for retrieving next-stage payloads from a remote server and adding local exclusions in Windows Defender for the two downloaded executables in an effort to circumvent antivirus scanning. 

It’s important to note that such Windows Defender exclusions can be found in the registry keys listed below: 

1.File and folder exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsPaths 

2.File type exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsExtensions 

3.Process exclusions – HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows DefenderExclusionsProcesses 

One of the binaries, “appsetup.exe,” is designed to attain system persistence, while the second, “prun.exe,” is a downloader for a sprayer module that can obtain and deploy a range of attacks from a list of URLs, ranging from cookie stealers to cryptocurrency miners, and even more advanced implants like Glupteba. 

Because of MosaicLoader’s broad capabilities, compromised systems can be co-opted into a botnet, which the threat actor can then use to spread a variety of malicious software, including both publicly available and customized malware, to gain, expand, and manage unauthorized access to victim computers and networks. 

The researchers added, “The best way to defend against MosaicLoader is to avoid downloading cracked software from any source.”

Besides being against the law, cybercriminals look to target and exploit users searching for illegal software, adding it’s essential to check the source domain of every download to make sure that the files are legitimate.





Source link

RELATED ARTICLES

Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees

An Iranian cyberespionage group masqueraded as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an...

UBEL is the New Oscorp — Android Credential Stealing Malware Active in the Wild

An Android malware that was observed abusing accessibility services in the device to hijack user credentials from European banking applications has morphed into...

Cyberattacks Zero in Tokyo Olympics as Games Begin – E Hacking News

  Malicious malware and websites have targeted both event organizers and regular spectators as the Tokyo Olympics' opening ceremony approaches. According to Tokyo-based Mitsui Bussan...
- Advertisment -

Most Popular

Former Goldman Sachs CIO, joins fintech start-up Advisory Board

illumr removes bias in AI for financial services organisationsDamian Sutcliffe, the former EMEA CIO for Goldman Sachs...

Hackers Posed as Aerobics Instructors for Years to Target Aerospace Employees

An Iranian cyberespionage group masqueraded as an aerobics instructor on Facebook in an attempt to infect the machine of an employee of an...

Security breaches where working from home is involved are costlier, claims IBM report • The Register

Firms looking to save money by shifting to more flexible ways of working will need to think carefully about IT security and the...

Recent Comments