A newly discovered form of malware delivered to victims via adverts in search results is being used as a gateway to stealing passwords, installing cryptocurrency miners and delivering additional trojan malware.
Detailed by cybersecurity company Bitdefender, the malware – which targets Windows – has been dubbed MosaicLoader and has infected victims around the world as those behind it attempt to compromise as many systems as possible.
MosaicLoader can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information.
Links to the malware appear at the top of search results when people search for cracked versions of popular software. Automated systems used to buy and serve advertising space likely means that nobody in the chain – aside from the attackers – know the adverts are malicious at all.
The security company said that employees working from home are at higher risk of downloading cracked software.
“Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet.
It’s possible that the malware would be detected by antivirus software, but many users downloading illegally cracked software have likely turned their protections off in order to access and install the download.
In order to make the download seem as legitimate as possible to the user, the cracked software mimics the file information of the real software, even down to names and descriptions within file folders.
However, all that’s downloaded is MosaicLoader, which provides the attackers with access to the machine. Researchers note that attackers try to steal usernames and passwords for online accounts, as well as operate cryptocurrency miners and drop trojan malware, which provide backdoor access to machines.
It’s suspected that the aim of this campaign is to eventually sell access to compromised Windows machines – although the fact that additional malware is already being installed suggests the attackers are stealing data for themselves.
“From what we can tell, this new MosaicLoader attempts to infect as many devices as possible, likely to build up market share and then sell access to infected computers to other threat actors,” said Botezatu.
According to Bitdefender the cyber-criminal group behind MosaicLoader is likely a new operation, without ties to any previously known groups. They’re trying to spread the malware as much as possible – but the current form of distribution means that, so long as users aren’t attempting to download cracked software, they’ll remain safe.
Users should also be wary of following instructions to turn off antivirus software, as that can lead to malicious software being allowed to infiltrate the system.
“We advise users to never turn off their security solution when it blocks the installation of software downloaded from the internet, as attackers have become adept at bundling legitimate apps with malware,” said Botezatu.