A new kind of malware called MosaicLoader is currently rampant through the Internet. Designed to outsmart Windows Defender, it quietly installs dangerous malware on infected PCs.
At the end of July 2021, Bitdefender security researchers identified a new kind of malware targeting Windows computers. In a report shared with The Hacker News, the experts of this company specializing in cybersecurity detail the vicious and clever operating principle of a Trojan horse that they have called MosaicLoader and which has already claimed many victims across the world.
Great originality of this malware, its mode of distribution. In fact, according to Bitdefender experts, MosaicLoader is spreading across the web, hiding in search engine advertisements. It would target more specifically requests concerning pirated versions of software, and in particular the search for “cracks”, these tools which allow to circumvent the protections during the installation of an application (serial numbers and other devices), often in patching the program with a code. Other specialists point out that MosaicLoader can also hide directly in the installer of the pirated software.
Once on the victim’s computer, MosaicLoader immediately sets in motion a series of complex processes to bypass the protective measures. It first decompresses two executable files – appsetup.exe and prun.exe -, installs a backdoor and immediately downloads various very dangerous malware – such as Glupteba, XMRIG or AsyncRAT – to steal passwords and confidential information, mine cryptocurrency, take control of the PC or turn the machine into a “bot” – a robot used for malicious purposes. Mainly, it makes such threats undetectable from security tools like Windows Defender through exclusions using PowerShell commands. This explains the alert launched by Bitdefender.
How to protect yourself from MosaicLoader?
To avoid getting infected – with the consequences that we imagine – the Bitdefender researchers obviously recommend not to download pirated software and not to click on advertisements for cracks, which seems quite trivial. But they also explain that one can tell if a PC has been infected with MosaicLoader by examining Windows Defender exclusions through Windows Registry Editor. An operation that remains fairly simple and that avoids damage while waiting for Microsoft to update its security tool.
- To do this, with Windows 10, click on the start menu, scroll down the list of applications to the section Windows administration tools, then click Registry Editor.
- You can also open the Registry Editor with a command: press the keys Windows + R to access the window Run, enter the command regedit, then press OK. This method works on Windows 7, 8 and 10.
- Once the Editor is open, go to the left column and successively expand the following keys by clicking in the tree structure:
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Paths (paths)
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Extensions (file extensions)
HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Processes (process)
- Examine the contents of each key in the right pane for any suspicious items. In principle, each key contains only one “default” element. If you find any items that you haven’t excluded yourself, that’s a bad sign.To remove an intruder created by MosaicLoader, right click on it and select To delete from the context menu.
- Finally, it goes without saying or almost, use Windows Update to update all components of Windows – including Windows Defender – with patches from Microsoft. Likewise, use the update function of your security suite if you are using a “third party” tool.
Thanks to Bazfile for the screenshots of MosaicLoader in vitro !