This password-stealing Windows malware is distributed via ads in search results

MosaicLoader can be used to steal passwords, install cryptocurrency miners and deliver trojan malware warn researchers, who say those behind it want to sell access to Windows PCs on to other cybercriminals.
Written by Danny Palmer, Senior Writer

A newly discovered form of malware delivered to victims via adverts in search results is being used as a gateway to stealing passwords, installing cryptocurrency miners and delivering additional trojan malware.

Detailed by cybersecurity company Bitdefender, the malware -- which targets Windows -- has been dubbed MosaicLoader and has infected victims worldwide as those behind its attempt to compromise as many systems as possible.

MosaicLoader can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information. 

See: Cybersecurity: Let's get tactical (ZDNet/ TechRepublic special feature) | Download the free PDF version (TechRepublic)

Unlike many forms of malware, which get distributed via phishing attacks or unpatched software vulnerabilities, MosaicLoader is delivered to victims via advertising.  

Links to the malware appear at the top of search results when people search for cracked versions of popular software. Automated systems used to buy and serve advertising space likely means that nobody in the chain -- aside from the attackers -- knows the adverts are malicious at all. 

The security company said that employees working from home are at higher risk of downloading cracked software.

"Most likely, attackers are purchasing adverts with downstream ad networks -- small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when the limited staff impacts manual ad vetting on call," Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet

It's possible that the malware would be detected by antivirus software. Still, many users downloading illegally cracked software have likely turned their protections off in order to access and install the download. 

In order to make the download seem as legitimate as possible to the user, the cracked software mimics the file information of the real software, even down to names and descriptions within file folders.  

However, all that's downloaded is MosaicLoader, which provides the attackers with access to the machine. Researchers note that attackers try to steal usernames and passwords for online accounts and operate cryptocurrency miners and drop trojan malware, which provides backdoor access to machines. 

It's suspected that this campaign aims to eventually sell access to compromised Windows machines -- although the fact that additional malware is already being installed suggests the attackers are stealing data for themselves. 

"From what we can tell, this new MosaicLoader attempts to infect as many devices as possible, likely to build up market share and then sell access to infected computers to other threat actors," said Botezatu. 

See: Ransomware: Now, gangs are using virtual machines to disguise their attacks.

According to Bitdefender, the cybercriminal group behind MosaicLoader is likely a new operation, without ties to any previously known groups. They're trying to spread the malware as much as possible -- but the current form of distribution means that, so long as users aren't attempting to download cracked software, they'll remain safe. 

Users should also be wary of following instructions to turn off antivirus software, as that can lead to malicious software being allowed to infiltrate the system. 

"We advise users to never turn off their security solution when it blocks the installation of software downloaded from the internet, as attackers have become adept at bundling legitimate apps with malware," said Botezatu.  


Editorial standards