The malware sets backdoors in infected machines, installs cryptocurrency miners, and steals sensitive information from the victims. The motive of this campaign is likely to sell access to other threat actors.
Info Stealer + Backdoor + Crypto Miner
While most malware has the same aim of stealing information or locking machines, their approach is different. One such malware is the newly found MosaicLoader, as named as spotted by Bitdefender. Bitdefender researchers said that MosaicLoader is being spread through online ads! This is relatively a new form of distribution, as we’ve seen malware being spread through system vulnerabilities or phishing emails in the past. As detailed by Bogden Botezatu, Bitdefender’s Director of threat research, said to ZDNet, threat actors are using downstream ad networks which can funnel ad traffic to larger providers, and do this “over the weekend when the limited staff impacts manual ad vetting on call.” Also, they plan to buy ad slots through automated systems, which process the request without any checks, making no one except the attackers knew the links were malicious. People who search for cracked versions of popular apps are the desired targets of this campaign, as they’re most likely to believe in anything they’ve downloaded. And these people are most likely to disable the antivirus or ignore warnings from such solutions on installing such suspicious downloads from unknown sources. These attributes are leveraged by threat actors here and exploit with fake pirated software. They customize their offerings as much as they can to avoid being detected and move on smoothly. And they hit as many machines as possible. Once the user installs the software and gives all permissions to it, MosaicLoader would then bring in Glupteba – a backdoor trojan that steals information like usernames and passwords and financial data victim’s machine. Also, MosaicLoader installs cryptocurrency miners in the infected machines too for gaining their own profits. Apart from this, the goal behind this campaign is about selling access to infected devices to other threat actors, as said by Bitdefender researchers.