Science & Technology

This new malware is hidden in Windows Defender exclusions to evade detection

A previously undocumented cybersecurity researcher on Tuesday saidMosaicLoader“It selects individuals searching for cracked software as part of a global campaign.

“The attackers behind Mosaic Loader are creating malware that can deliver arbitrary payloads on the system, potentially making a profit as a delivery service,” said Bitdefender researchers. report Share with Hacker News. “The malware reaches the target system under the guise of a cracked installer. Download the malware spray, get the list of URLs from the C2 server, and download the payload from the link received.”

Windows computer malware

The malware is so named because of its sophisticated internal structure tuned to prevent reverse engineering and avoid analysis.

Attacks involving MosaicLoader rely on an established tactic of malware delivery called search engine optimization (SEO) poisoning. Cybercriminals buy ad slots in search engine results to push malicious links as top results when users search for terms related to pirated software.

StackOverflow team

If the infection is successful, the first Delphi-based dropper (impersonating a software installer) acts as an entry point, fetching and adding the next stage payload from the remote server. Local exclusion in Windows Defender Two executable files downloaded to thwart antivirus scans.

Windows computer malware

Such Windows Defender exclusions can be found in the registry keys listed below.

  • Exclude files and folders-HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Paths
  • File Type Exclusion-HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Extensions
  • Process Exclusions-HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Processes

One of the binaries, “appsetup.exe”, was devised for system persistence, while the second executable, “prun.exe”, acquired various threats. Acts as a downloader for deployable sprayer modules.A list of URLs from cookie stealers to cryptocurrency miners, and more advanced implants such as: Grupteva..

Prevent ransomware attacks

“Prun.exe” is famous for its obfuscation and reversal prevention technology concentration that separates code chunks with random filler bytes, and the execution flow “jumps over these parts and executes only small and meaningful chunks. It is designed to “do”.

Malware map live

Given the wide range of features of MosaicLoader, multiple evolutions of advanced malware, including both public and customized malware, have been exploited by attackers to adopt compromised systems into botnets. You can propagate the set to retrieve, extend, and maintain malware. Access to the victim’s computer and network.

“The best way to protect Mosaic Loader is to avoid downloading cracked software from any source,” the researchers say. “Cybercriminals not only violate the law, but also try to target and exploit users who are searching for illegal software,” he added. “Check the source domains of all downloads and the files are legitimate. Make sure that is. “

This new malware is hidden in Windows Defender exclusions to evade detection This new malware is hidden in Windows Defender exclusions to evade detection

Back to top button