Cybersecurity researchers on Tuesday lifted the lid on a previously undocumented malware strain dubbed “MosaicLoader” that singles out individuals searching for cracked software as part of a global campaign. “The attackers behind MosaicLoader created a piece of malware that can deliver any payload on the system, making it potentially profitable as a delivery service,” Bitdefender researchers said in a report shared with The Hacker News. “The malware arrives on target systems by posing as cracked installers. It downloads a malware sprayer that obtains a list of URLs from the C2 server and downloads the payloads from the received links.” Upon successful infection, the initial Delphi-based dropper — which masquerades as a software installer — acts as an entry point to fetch next-stage payloads from a remote server. It also adds local exclusions in Windows Defender for the two downloaded executables in an attempt to thwart antivirus scanning.
Written by: Nataliia Zdrok, Threat Intelligence Analyst at Binary Defense Russia’s invasion of Ukraine increased