This malware hidden in pirated software is undetectable by Windows Defender

A new kind of malware has just been discovered. It even manages to hide its misdeeds from the eyes of Windows Defender antivirus. The malware uses a system so sophisticated that the researchers who discovered it named it “MosaicLoader”.

MosaicLoader is malware that lurks in pirated software, and more specifically in their installer. Bitdefender, at the origin of the discovery, warns about the dangerousness of the malware (that is usual), but also and especially on its design and its super sophisticated method of action (that is less usual). ).

The software therefore hides in installer software and once installed on a PC, it will download other malware from a list of URLs. And of course, he does not hesitate to install them on the machine. But what is perhaps really problematic is that the malware it installs is undetectable by Windows Defender Antivirus, whose effectiveness is no longer to be proven.

MosaicLoader prevents Windows Defender from scanning for malware it installs

MosaicLoader gets its name from its rather complex structure and installation method: the malware has been designed in such a way that it prevents any attempt at reverse engineering. Hidden in the installer of pirated software, MosaicLoader starts by downloading a ZIP archive, which it will then unzip in the% TEMP% directory.

This archive contains two executables. They are called appsetup.exe and prun.exe. As soon as the PC gets infected, the malware adds exclusions to Windows Defender using Powershell commands by launching multiple instances of Microsoft’s terminal. Therefore, the two downloaded executables will not be scanned by Microsoft’s security suite. Thus, malware installed by MosaicLoader will fall through the cracks.

Read also: Windows Defender, a bug creates thousands of unnecessary files on Windows 10 PCs

MosaicLoader operation

The extended possibilities of MosaicLoader once installed in the system allow it to act as a botnet, to spread other malware and thus extend its field of action to other PCs. According to Bitdefender researchers, the best way to guard against this kind of malware is not to download pirated software, regardless of the source. “The danger of this application is that it can spread any malicious software in the system. Its purpose is to download a list of malware from sources of infection controlled by attackers and execute them. ”

Note that it is quite easy to verify that your PC has not been infected with MosaiLoader and that it has not added any exclusions to Windows Defender. To do this, open the Registry by simply typing Regedit in the search field of Windows 10 or Windows 11. The exclusions are visible in the following registry keys:

  • File and folder exclusions
    HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Paths
  • File type exclusions
    HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Extensions
  • Process exclusions
    HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows Defender Exclusions Processes

Source: The Hacker News

Leave a Reply

Your email address will not be published. Required fields are marked *