Mosaic Loader: A classic example of why you need an inside-out cyber-defense strategy

Intrusion Team
Jul 22, 2021

Cybersecurity Reporters cited a new expert analysis from a White Paper discussing a new malware strain called MosaicLoader. They say the attacks involving MosaicLoader capitalize on a malware delivery method called search engine optimization (SEO) poisoning. This is simply cybercriminals purchasing ad space in search engine results to boost their malicious links as a top result when users search for terms related to pirated software. That last part is interesting.

Are these cybercriminals targeting cybercriminals? Not everyone attempting to acquire pirated software is a cybercriminal.

They are just cheap. Many of us have wanted to test the real deal before committing to an actual purchase, right?  Pirated software provides that temporary luxury. You might think, well who cares what happens to people that deal in pirated software? However, this is extremely dangerous to the average user too, because let’s face it, sometimes you hate ads, and sometimes it’s just the thing you’re looking for, or you’re interested so you click it. And now they are even taking over our social media feeds so your exposure to ads and SEO poisoning is growing. At the end of the day, this tactic relies on the user clicking the ad.

It is at that moment in time the user’s browser attempts a connection request destined for a malicious Command-and-Control (C2) server to download malware on the victim’s machine. And, most AVs and IDSs will not detect this call home activity. The victim’s browser is simply making a request via HTTP to another domain or IP. First, this is all happening in memory so most AV and IDPSs will not recognize anything wrong. It is after all a normal DNS request. However, this is a critical point in the attack. If you can stop this, the attack is over.

Moving on, however, the experts continue that upon successful infection, the initial dropper masquerades as a software installer and acts as an entry point to fetch next-stage payloads from a remote server. It also adds local exclusions in Windows Defender for the two downloaded executables in an attempt to thwart antivirus scanning. Herein lies another problem, the malware disguises itself as actual updates to legitimate software that many of us run in our environment.  What is the first natural reaction to “Software Update Available?” You must stay up to date and current right? You do not want to be a victim of an unpatched or outdated application, right? So, you click it.  And the attack continues.

Now you’re worried about AV detecting the downloading and installation of faulty, corrupted update installers that are malware. However, your approach could just focus on that phase one tactic of making that initial call home to the malicious C2 server. You could address it right there and put an end to it based on a domain or IP’s good or poor reputation. Think of it this way, your users have already seen the ad while browsing, and due to no good reason nor any malicious intent, they click the ad. As far as the outside-in attack, the attacker has already achieved that.  Now you can stop them from the inside out. We know because we have already verified that we kill all connections to the known indicators of compromise from this malware. Visit us to learn more.

Resources that might interest you.

Get the insights cybercriminals don’t want you to know.