Since before the depiction of Neptune immortalized in a mosaic in the 3rd Millenium, mosaics have been a source of wonder and amazement. The fine details in an artists expression has been part of past and current artistic works. Newer “artists” are creating masterpieces within a more digitized medium known as malware. This malware is known as MosaicLoader and it is concealed within cracked software to trick users into installing malware.
According to BitDefender the malware would add exclusions of malware files to Microsoft defender that was within a folder called /PublicGaming/. BitDefender named this new type of malware MosaicLoader for its “intricate internal structure that aims to confuse malware analysts and prevent reverse-engineering.” It can also deliver any kind of payload to an infected system.
BitDefender also collaborated with Fortinet researchers to find similar results on their test C2 server. BitDefender also stated that MosaicLoader contains:
- Mimicking file information that is similar to legitimate software
- Code obfuscation with small chunks and shuffled execution order
- Payload delivery mechanism infecting the victim with several malware strains
IPs and Domains:
There are some domain URLs and IP addresses that are used for controlling the malware sprayer in MosaicLoader. Some are malicious domains but some are also legitimate domains:
hxxp://45[.]15[.]143[.]191/redirects/v2.exe
hxxp://45[.]15[.]143[.]191/uploads/cpu-only.exe
hxxp://45[.]15[.]143[.]191/files/file1.exe
hxxp://45[.]15[.]143[.]191/files/file2.exe
hxxp://45[.]15[.]143[.]191/files/file3.exe
hxxp://45[.]15[.]143[.]191/files/file4.exe
hxxp://45[.]15[.]143[.]191/files/file5.exe
hxxp://45[.]15[.]143[.]191/files/file6.exe
hxxp://45[.]15[.]143[.]191/files/file7.exe
hxxp://45[.]15[.]143[.]191/files/file8.exe
12
hxxps://cdn[.]discordapp[.]com/attachments/838446784648052797/841279408946020352/SX.x.1
hxxp://bandshoo[.]info/app.exe
hxxp://file[.]ekkggr3[.]com/lqosko/p18j/customer2.exe
hxxp://45[.]15[.]143[.]191/files/file9.exe
hxxps://cdn[.]discordapp[.]com/attachments/826897158568804390/839908231831617556/jooyu.
exe
hxxps://cdn[.]discordapp[.]com/attachments/826897158568804390/835108974495662080/setup.
exe
hxxp://privacytools[.]xyz/downloads/toolspab2.exe
hxxps://kiff[.]store/builds/KiffApp2.exe
hxxp://md8[.]8eus[.]pw/download.php
hxxps://jom[.]diregame[.]live/userf/2201/google-game.exe
hxxps://cdn[.]discordapp[.]com/attachments/826897158568804390/842095400453406720/Set-
up2.exe
hxxp://moonlabmediacompany[.]com/campaign1/SunLabsPlayer.exe hxxp://www[.]turbosino[.]com/askhelp39/askinstall39.exe
hxxps://2no[.]co/26ica6
Hashes:
Lastly, here are some of the hashes that have been known to be part of the identified MosaicLoader malware:
Finally while there is no specified target for the malware, you can see use cases focused on personal computers.
Defense:
According to BitDefender, the best defensive measure is avoiding downloading cracked software from any source. Avoid getting cracked software from torrent sites or any unreliable source. Remember this can install. Any type of payload on your computer and into an environment. This is something that needs to be taken very seriously.
For the full list of hashes and more information on the hashes, urls, and ips you can download the following docx file or MosaicLoader files please see BitDefender’s white paper.
mosaicloader_hashes_url_ips.docx MD5:
ea4847bf68474552246fbb5004831b72
The Cyber Dudes 