Back to Blog
Research Jul 28, 2021 3 min read

Mosaic Loader - Behaviour Analysis

S
SecneurX Research Team SecneurX Research
Mosaic Loader - Behaviour Analysis

Mosaic loader (as named recently) refers to a malware delivery platform that infects Windows PCs. SecneurX has been tracking malicious behaviours of this malware, now referred to as Mosaic Loader since March 2021 and the findings and observations in this blog are from SecneurX Advanced Dynamic Malware Analysis.

Mosaic loader malware are usually found disguised as cracked version of well known softwares. Once downloaded and installed it deploys Remote Access Trojans creating a back door for administrative control over the target computer.

This analysis describes the multiple stages involved in the attack. The behaviour reports generated by our Advanced Dynamic Malware Analysis is included at the end of this blog.

Stage 1 : (Initial attack payload)

The malware communicated with the C2 to download the payload which is a .ZIP file. The .ZIP file contains files named appsetup.exe and prun.exe which are required for the next stage of attack.

hxxp://f5e0ecd0-cff3-4c27-ba11-17b0ba4f4d76[.]servebytes[.]xyz/update-assets.zip

Mosaic Loader Stage 1 - downloading payload ZIP from C2

Stage 2 : (Evasion)

Mosaic Loader evades detection from Windows Defender by adding exclusions for specific file names. The following commands were executed to create the exclusions in Windows Defender.

Mosaic Loader Stage 2 - Windows Defender exclusions being added

Stage 3 : (Executing the payload)

Update-assets.zip which was downloaded in stage 1 contains the following files.

appsetup.exe

The appsetup.exe is extracted to C:\Program Files (x86)\PublicGaming\appsetup.exe.

prun.exe

prun.exe is extracted to C:\Program Files (x86)\PublicGaming\prun.exe and is run multiple times and sends requests to the C2 for tasks.

Stage 4: Remote Access

Malware communicates to the C2 regarding the current state of the infected machines giving the C2 Remote Access to the infected machine. Below is the network communication to C2.

Mosaic Loader Stage 4 - network communication to C2

Stage 5 : (Malware Sprayer)

All the downloaded payload reside in a folder "PublicGaming". Below image shows the process tree view of process created from appsetup.exe and prun.exe

Mosaic Loader Stage 5 - process tree view from appsetup.exe and prun.exe

Stage 6 : (Data Exfiltration)

The final stage of the malware POST a .ZIP file containing critical information about the infected system.

[ POST ] hxxp://juicymp3s[.]com/main.php

[ POST ] hxxp://juicymp3s[.]com/

Mosaic Loader Stage 6 - POST data exfiltration to C2

The Zip file uploaded to the C2 contains detailed information about the hardware and software resources of the machine, Email IDs, saved passwords, cookies and payment information from the browsers. It also contains documents and files saved on the desktop along with a screenshot image.

Mosaic Loader - ZIP file contents exfiltrated to C2

Indicators of Compromise

Domains
g.capboost[.]xyzuehge4g6gh[.]2ihsfa[.]combinsas01[.]topcinund16[.]topmorsxd01[.]topfetch.nerdprotect[.]xyzshopfun[.]topfetch.saleclutch[.]xyzjuicymp3s[.]comg.bluestreak[.]xyzbce1330f-e004-4c66-b35d-a09353c670e7.certbooster[.]comc9a95546-61da-4804-819a-a2aff382df75.nordlt[.]comfetch.chargenets[.]comget.elsafanbooks[.]comgt.cookupfriendly[.]comdist.bumpernodes[.]comaktyd05[.]topbayhh46[.]topMorryv04[.]topt1.xofinity[.]comt1.cloudshielding[.]xyzsrv2.checkblanco[.]xyzfbddbfdd-5271-47c1-8686-51286090f708.servebytes[.]xyz431ef0a8-3071-4ac7-a5e6-d4d609a9c1f8.servebytes[.]xyz
SHA256 Hashes
2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c4441688a5d18382601fb6cc692f38d748d80662ef99609062d4a34236d1f15bc58faf7e5864c9e4b6c0161231a1be5822505ba84eb55e0185693ef5835954c98a218f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b9370475dc4c9f9b91f1d349aa12569b1c9e792710adbc5d8e200b89f92c920008901fc1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666cf76d84527415e188f5954b3c7289ad60f3b36ad0aedb913c53cf398243609a9173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8cffee418630863c5ba63d37ab65a2617fa8c64f1c5c774e0f2f2c072cab5cb93191047e4971d0b957386f0c21a4d90ccbac47d75e5d4af565f1566c5cc013062ec01c0d4e0e43f5a7a4dea3e833bb69d29b560c478713e4c37f31599250fed260c366a12ebce6fac89542bd70335a3ad9b0c44692946c6d173234a7840f846812b06ce74a41d1cfd7bc73dc8b67417f1c17c85d9570f88fb842e124c9eb0c29ea3816722f95463c51bb6203427a2c1947332e231bea0cd1297abfb8b89d10932640ae56610e25e1b7dbe5e0c69bd432fbcb4ebe014cd3e0ca66b5dcf98ed346021e67c3f1fb1d82e8bbc180fd4c2ec7131636a16887f0a73f821b10f477119b6070289206a05f5f5a83afa162b4fdbf5cd5d2ebfc9e8615d6d9e42ac839fd4302

Device Indicator

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'

POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'

CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'

Conclusion

Based on the above analysis SecneurX recommends checking your network for these IOCs and take remediation to protect your infrastructure and information.

Behaviour report

e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c

1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666