Bitdefender security researchers discovered a new malware strain spiking in their telemetry. The malware, which Bitdefender named MosaicLoader, is a downloader that can deliver any payload to the infected system. During their investigation, Bitdefender found that MosaicLoader threat actors used the following tactics to hinder researchers' malware analysis efforts and to increase their attacks' rate of success:
What caught the attention of researchers were processes that add local exclusions in Windows Defender for specific file names that all reside in the same folder. Bitdefender named it MosaicLoader because of the intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering. MosaicLoader is seemingly delivered through paid ads in search results designed to lure users looking for cracked software to infect their devices. Once planted on the system, the malware creates a complex chain of processes and tries to download a variety of threats, from single cookie stealers to cryptocurrency miners or more complex ones, such as the Glupteba Backdoor.