Password-stealing Windows malware spreads via ads in search results

Cybersecurity researchers have detected a new strain of malware that can download a variety of threats, but is interestingly delivered

through paid online adverts in search results.

Named MosaicLoader by the Bitdefender researchers who first ran into it, the malware is designed to infect devices of users looking

for cracked software.

“Systems infected with this malware become part of the network of machines that attackers can further infect with any piece of

malware they want. During our analysis, we observed that the payloads delivered by the second stage are malware sprayers that

download and run many other malicious files,” the researchers note in their analysis.

Once installed, the malware creates a complex chain of processes in its attempts to download additional threats, which could range

from simple cookie stealers, and cryptocurrency miners to fully-fledged backdoors such as Glupteba.

Capitalizing on software piracy

Bitdefender shares that adverts bearing links to the malware appear at the top of search results for users searching for cracked

versions of popular proprietary software.

“Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and

larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call,” Bogdan

Botezatu, director of threat research and reporting at Bitdefender briefed ZDNet.

Bitdefender says that the campaign has no specific target countries or organizations, and indiscriminately delivers its payloads to

users looking for cracked software.

Believed to be the handiwork of a new cyberthreat group, Bitdefender thinks the malware’s current form of distribution will itself

keep it away from users who don’t go out looking for cracked software on the Internet.

credit :

Leave a Comment