Malware, Threat Management

MosaicLoader malware preys on unsafe work-from-home downloading habits

A Bitdefender booth at a 2017 trade fair. (Thomas Springer, CC0, via Wikimedia Commons)

A newly discovered malicious downloader that’s been distributed under the false pretext of cracked office suite software is the latest example of cybercriminals taking advantage of remote employees who download pirated productivity software and games on their computer devices.

Discovered by researchers at Bitdefender, the downloader, MosaicLoader, serves as a first-stage payload that subsequently delivers a variety of malicious code, including cookie stealers, cryptominers, trojans and backdoors such as Glupteba. To entice prospective victims into infecting themselves with the loader, adversaries have resorted to paying for advertising slots in search engine results in order to boost links to their malicious download sites and attraction the attention of individuals looking for cracked software.

“Since May we have seen at least 5,000 unique computers attempting to download and run these cracks,” said Bob Botezatu, director of threat research and reporting at Bitdefender, who noted these findings only account for computers covered by Bitdefender telemetry, meaning the actual distribution of the attack is likely much broader.

Botezatu said the adversaries behind this scheme may be counting on victims infected with the cracked software connecting their compromised devices to their corporate networks, and thus placing their companies’ security in peril as well. 

“Because of the fact that people are now working remotely, anything is possible,” said Botezatu. “Most people have had desktops at work, and they have been forced to leave the office behind. Not all of them were able to take devices at home, so they purchased devices, and in order to save a little bit of money, they're resorting to cracked copies of the operating system or helper applications — Office and the Adobe suite being some of the most sought-after types of cracked applications.”

Rather than waiting for official corporate approval of a requested devices or software, workers “take the matters into their own hands and attempt to get productive as soon as possible.” And in using rogue devices or downloading unofficial software, they have “blindsided their IT team” with “shadow IT,” he added.

Indeed, cybercriminals are well aware that users of cracked software generally don’t have the highest security standards. “Most people looking for cracks and illegal copies of software [aren’t] running anti-virus solutions. Or if they do, many times they turn it off” to avoid being constantly prompted with alerts, Botezatu continued. After all, “these apps are very intrusive. They attempt to modify files on the computer, they attempt to patch the memory as the computer runs its instructions and so on. So they [users] think of these alerts as false positives that can be safely ignored. Well, it's not the case.”

Joseph Carson, chief security scientist and advisory CISO at ThycoticCentrify, said that while leveraging cracked software to spread malware is not really a new technique, “it is becoming more successful now that employees are working remotely on unprotected networks where they are continuously switching between personal and corporate devices.” Carson even pointed to recent company research, which found that “employees are willing to take a risk because they don’t believe they are a target of cybercriminals and that they have an IT security team that is protecting them.”

And this problem may only worsen as the “line between personal and business devices will continue to blur,” said Erkang Zheng, founder and CEO at JupiterOne. “Users will always find ways to get around the ‘gates’ to make things easier for themselves.

For this reason, shadow IT and pirated copies has become a more important focus for policymakers and security awareness program managers in order to prevent remote employees from unknowingly becoming internal threats.

“It’s imperative to educate teleworkers to be vigilant about potential cyberthreats and prioritizing cyber hygiene, said Aamir Lakhani, lead security researcher at Fortinet’s FortiGuard Labs. “Organizations should keep their often remote workforce employees in the security loop with a steady cadence of security-related education and updates. These updates might include policy guidelines in place to protect the enterprise network, instruction on cyber hygiene, and patch management.”

“Organizations should absolutely have a clear endpoint device management/BYOD policy and corresponding awareness training,” agreed Zheng. In addition, Zheng recommended two key technical controls: “Define what critical access means, e.g. access to production or environments/systems with confidential data,” [and] “implement device trust so that users can only use certified devices meeting certain corporate security for critical access.”

“This provides a balanced approach to protect the ‘crown jewels’ while allowing certain flexibility to employee's device usage,” Zheng explained.

According to Bitdefender, MosaicLoader uses infrastructure that was previously tied to Netbounce, a threat actor that researchers at FortiGuard exposed in a report last March. In February, Fortinet had received a brazen email-based request from a fake company asking the security vendor to whitelist its software, supposedly because its application updates were generating false-positive security alerts. However, Fortinet analyzed the purportedly benign executable, which turned out to be a Golang-based downloader with reverse proxy capabilities, capable of targeting multiple OS platforms, including Windows, Linux and MacOS. Apparently, the attackers were hoping to trick Fortinet into making its malware legitimate.

Bitdefender contends that MosaicLoader’s operaters have employed a somewhat related approach — in this instance “mimicking executable files that belong to legitimate software.”

“If this is indeed the same threat actor — it is possible it could be different threat actors using parts of the same attack infrastructure — it is clear there is a market for the attackers to target users who want to earn money or get free software,” said Lakhani. In the case of Netbounce, the cybercriminals were use the lure of earning money while sharing your bandwidth.

Botezatu told SC Media that the operators of MosaicLoader are likely looking to continue growing its botnet, while divvying up its victims among multiple cybercriminal outfits — which explains why the loader has dispersed an eclectic assortment of secondary payloads. He warned that the backdoor and RAT payloads are especially serious because the kind of access they provide could easily allow cybercriminals to “plant ransomware” or “spy on people's cameras and microphones.”

Other notable features of MosaicLoader include various obfuscation and anti-analysis techniques, including jumps that break code up into chunks, and the “use of mathematical operations with large numbers to obtain values required by the program,” the report states.

Earlier this month, Bitdefender also disclosed the latest updates to Trickbot malware’s arsenal — a new version of its vncDll module used for monitoring and intelligence gathering.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.