Debugging MosaicLoader, One Step at a Time

Bitdefender researchers have noticed a new malware strain spiking in our telemetry. What caught our attention were processes that add local exclusions in Windows Defender for specific file names (prun.exe, appsetup.exe, etc.), that all reside in the same folder, called \PublicGaming\. Further investigation revealed that this malware is a downloader that can deliver any payload to the infected system. We named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering.

MosaicLoader is seemingly delivered through paid ads in search results designed to lure users looking for cracked software to infect their devices. Once planted on the system, the malware creates a complex chain of processes and tries to download a variety of threats, from simple cookie stealers to cryptocurrency miners or more complex ones, such as the Glupteba Backdoor.

Researchers at Fortinet [1] noticed similar processes that used the same C2 as MosaicLoader investigated by us. In that case, attackers asked them to remove detection on the file net-helper.exe. The trick used by the malicious actors was to create seemingly legitimate executable files including manifest information such as company name and description that was related to the file’s name. The attackers stuck to this approach with the newer droppers, mimicking executable files that belong to legitimate software. While the execution flow of the malware is somewhat similar to Warzone RAT [2], the C2 servers and the delivered payloads do not seem related to the actors behind Warzone.

In this article, we will show the execution flow of MosaicLoader along with some techniques employed by attackers, including:

• Mimicking file information that is similar to legitimate software
• Code obfuscation with small chunks and shuffled execution order
• Payload delivery mechanism infecting the victim with several malware strains