This password-stealing Windows malware is distributed via ads in search results



[ad_1]

A newly discovered form of malware delivered to victims via search results ads is used as a gateway to steal passwords, install cryptocurrency miners, and deliver additional Trojan horse malware.

Detailed by cybersecurity company Bitdefender, the malware – which targets Windows – has been dubbed MosaicLoader and has infected victims around the world as those behind it attempt to compromise as many systems as possible.

MosaicLoader can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor on infected systems, which can then be used to steal sensitive information, including usernames. and passwords, as well as financial information.

SEE: Cybersecurity: let’s be tactical (ZDNet / TechRepublic special function) | Download the free PDF version (TechRepublic)

Unlike many forms of malware, which are distributed through phishing attacks or unpatched software vulnerabilities, MosaicLoader is delivered to victims through advertising.

Links to malware appear at the top of search results when people search for cracked versions of popular software. The automated systems used to buy and serve ad space likely mean that no one in the chain – other than attackers – knows the ads are malicious.

The security company said employees working from home were at a higher risk of downloading pirated software.

“Most likely, attackers buy ads with downstream ad networks – small ad networks that route ad traffic to increasingly large providers. They usually do so on weekends when manual ad verification is in effect. affected by limited staff on duty, “Bogdan Botezatu, director of threat research and reporting at Bitdefender, told ZDNet.

It is possible that the malware could be detected by anti-virus software, but many users who download pirated software illegally have likely disabled their protections in order to access and install the download.

In order to make the download as legitimate as possible for the user, the pirated software mimics the file information of the real software, even down to the names and descriptions in the file folders.

However, all that is downloaded is MosaicLoader, which allows attackers to gain access to the machine. Researchers note that attackers are attempting to steal usernames and passwords from online accounts, as well as exploit cryptocurrency miners and remove Trojan-type malware, which provides a stolen access to machines.

It is suspected that the purpose of this campaign is to eventually sell access to compromised Windows machines – although the fact that additional malware is already installed suggests that attackers are stealing data for themselves.

ZDNet recommends

The best cyber insurance

The best cyber insurance

The cyber insurance industry is likely to become widespread and represents a simple cost of doing business. Here are some options to consider.

Read more

“From what we can tell, this new MosaicLoader is trying to infect as many devices as possible, potentially gaining market share, and then selling access to infected computers to other threat actors.” , said Botezatu.

SEE: Ransomware: Now gangs are using virtual machines to cover up their attacks

According to Bitdefender, the group of cybercriminals behind MosaicLoader is likely a new operation, unrelated to any previously known group. They try to spread the malware as much as possible, but the current form of distribution means that as long as users don’t try to download pirated software, they will stay safe.

Users should also be wary of following the instructions to disable antivirus software as this can allow malware to enter the system.

“We advise users to never turn off their security solution when it blocks the installation of software downloaded from the Internet, as attackers have become adept at bundling legitimate applications with malware,” Botezatu said.

LEARN MORE ABOUT CYBERSECURITY

[ad_2]

Source link