New malware uses search engine ads to target hacker gamers


New malware uses paid ads in search results to target users looking for pirated software. It uses sophisticated techniques to conceal its presence while also dropping a Pandora’s Box of malware on victims’ systems.

Security company Bitdefender has detailed the inner workings of MosaicLoader software, which mimics legitimate game-related software to avoid detection.

Bitdefender’s report found the first malware dropper stored in archives that claim to offer installers of cracked software. The company said that cybercriminals appear to buy pay-per-click (PPC) ads related to pirated software and then insert those links to the malware dropper in their ads.

The initial program acts as an installer for the “malware sprayer” software that it downloads from a command and control server (C2). This malware comes from a list of sources managed by the criminals behind the software, which include URLs dedicated to hosting malicious files and public Discord channels.

The malware that the program installs includes simple cookie thieves that can be used to hijack victims’ online sessions. They can exfiltrate Facebook login data, allowing cybercriminals to take over a victim’s account, post posts that damage a victim’s reputation or spread more malware.

Other malware installed by the dropper includes cryptocurrency miners and the Glupteba backdoor, which is a botnet program that launches multiple attacks on home browsers and routers and takes its instructions through the Bitcoin blockchain.

Associated resource

Aberdeen Report: How a Platform Approach to Security Oversight Initiatives Adds Value

Integration, orchestration, analysis, automation and the need for speed

Download now

After downloading its initial files, the malware dropper uses PowerShell to exclude them from the Windows Defender anti-malware scanner. Then it registers an executable in the Windows registry and installs a service to reinsert that entry if the user deletes it.

BitDefender analysis shows that the malware uses numerous tricks to avoid detection. It creates folders that look like game directories to store its files, and uses processes that appear to be running software from GPU vendor NVIDIA.

The malware also obscures its activities by breaking its code into small pieces and jumping between them. It also uses math operations with large numbers to generate the data the program needs, making its code more like chunks of data. It also includes padding data which only introduces more noise into the code, making debugging more difficult for security researchers.

Unlike obfuscating their code, malware authors have hard-coded the URL of their C2 server. This allowed researchers to find the server’s IP address and link it to several other malware campaigns.

Featured Resources

Prepare for AI-powered cyberattacks

MIT Technology Review Overview

Download now

Cloud storage performance analysis

Storage performance and value of the IONOS cloud compute engine

Download now

The Forrester Wave: The Best Security Analytics Platforms

The 11 most important suppliers and their ranking

Download now

Use data to reinvent your organization

Build a data strategy for the next wave of cloud innovation

Download now

Leave A Reply

Your email address will not be published.