Mosaic Loader - Behaviour Analysis

Mosaic loader (as named recently) refers to a malware delivery platform that infects Windows PCs. SecneurX has been tracking malicious behaviours of this malware, now referred to as Mosaic Loader since March 2021 and the findings and observations in this blog are from SecneurX Advanced Dynamic Malware Analysis.


Mosaic loader malware are usually found disguised as cracked version of well known softwares. Once downloaded and installed it deploys Remote Access Trojans creating a back door for administrative control over the target computer.

This analysis describes the multiple stages involved in the attack. The behaviour reports generated by our Advanced Dynamic Malware Analysis is included at the end of this blog.


Stage 1 : (Initial attack payload)


The malware communicated with the C2 to download the payload which is a .ZIP file. The .ZIP file contains files named appsetup.exe and prun.exe which are required for the next stage of attack.


hxxp://f5e0ecd0-cff3-4c27-ba11-17b0ba4f4d76[.]servebytes[.]xyz/update-assets.zip


Stage 2 : (Evasion)


Mosaic Loader evades detection from Windows Defender by adding exclusions for specific file names. The following commands were executed to create the exclusions in Windows Defender.


Stage 3 : (Executing the payload)


Update-assets.zip which was downloaded in stage 1 contains the following files.


appsetup.exe

The appsetup.exe is extracted to C:\Program Files (x86)\PublicGaming\appsetup.exe.


prun.exe

prun.exe is extracted to C:\Program Files (x86)\PublicGaming\prun.exe and is run multiple times and sends requests to the C2 for tasks.


Stage 4: Remote Access


Malware communicates to the C2 regarding the current state of the infected machines giving the C2 Remote Access to the infected machine. Below is the network communication to C2.


Stage 5 : (Malware Sprayer)


All the downloaded payload reside in a folder “PublicGaming”. Below image shows the process tree view of process created from appsetup.exe and prun.exe


Stage 6 : (Data Exfiltration)


The final stage of the malware POST a .ZIP file containing critical information about the infected system.


[ POST ] hxxp://juicymp3s[.]com/main.php

[ POST ] hxxp://juicymp3s[.]com/

The Zip file uploaded to the C2 contains detailed information about the hardware and software resources of the machine, Email IDs, saved passwords, cookies and payment information from the browsers. It also contains documents and files saved on the desktop along with a screenshot image.

Hashes


2793bbaba9d12a4a740b6c957143367ce1fb13bb98ecb122e2cb41728bed525e

3a64941353e52a3d8fb3bc898189a0d684b1a88a9c5fdbc496ef58738f42c444

1688a5d18382601fb6cc692f38d748d80662ef99609062d4a34236d1f15bc58f

af7e5864c9e4b6c0161231a1be5822505ba84eb55e0185693ef5835954c98a21

8f71fca5621ccb7ba3558cfebc17014d27923d1c73ad97ececb577fd5b937047

5dc4c9f9b91f1d349aa12569b1c9e792710adbc5d8e200b89f92c920008901fc

1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666

cf76d84527415e188f5954b3c7289ad60f3b36ad0aedb913c53cf398243609a9

173240b443fdb5cc7ed97cf6eedeb0d823924df3dab6d468c9da2898443f3ac6

e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c

ffee418630863c5ba63d37ab65a2617fa8c64f1c5c774e0f2f2c072cab5cb931

91047e4971d0b957386f0c21a4d90ccbac47d75e5d4af565f1566c5cc013062e

c01c0d4e0e43f5a7a4dea3e833bb69d29b560c478713e4c37f31599250fed260

c366a12ebce6fac89542bd70335a3ad9b0c44692946c6d173234a7840f846812

b06ce74a41d1cfd7bc73dc8b67417f1c17c85d9570f88fb842e124c9eb0c29ea

3816722f95463c51bb6203427a2c1947332e231bea0cd1297abfb8b89d109326

40ae56610e25e1b7dbe5e0c69bd432fbcb4ebe014cd3e0ca66b5dcf98ed34602

1e67c3f1fb1d82e8bbc180fd4c2ec7131636a16887f0a73f821b10f477119b60

70289206a05f5f5a83afa162b4fdbf5cd5d2ebfc9e8615d6d9e42ac839fd4302


Indicator Of Compromise

  • g.capboost[.]xyz

  • uehge4g6gh[.]2ihsfa.com

  • binsas01[.]top

  • cinund16[.]top

  • morsxd01[.]top

  • fetch.nerdprotect[.]xyz

  • shopfun[.]top

  • fetch.saleclutch[.]xyz

  • juicymp3s[.]com

  • g.bluestreak[.]xyz

  • bce1330f-e004-4c66-b35d-a09353c670e7.certbooster[.]com

  • c9a95546-61da-4804-819a-a2aff382df75.nordlt[.]com

  • fetch.chargenets[.]com

  • get.elsafanbooks[.]com

  • gt.cookupfriendly[.]com

  • dist.bumpernodes[.]com

  • aktyd05[.]top

  • bayhh46[.]top

  • Morryv04[.]topt1.xofinity[.]com

  • t1.cloudshielding[.]xyz

  • srv2.checkblanco[.]xyz

  • uehge4g6gh.2ihsfa[.]com

  • fbddbfdd-5271-47c1-8686-51286090f708.servebytes[.]xyz

  • 431ef0a8-3071-4ac7-a5e6-d4d609a9c1f8.servebytes[.]xyz


Device Indicator

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'APPSETUP.EXE'

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'PRUN.EXE'

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P1.EXE'

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P2.EXE'

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P3.EXE'

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P4.EXE'

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P5.EXE'

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P6.EXE'

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P7.EXE'

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P8.EXE'

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P9.EXE'

  • POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'

  • CMD.EXE /C POWERSHELL -COMMAND ADD-MPPREFERENCE -EXCLUSIONPROCESS 'P10.EXE'

Conclusion

Based on the above analysis SecneurX recommends checking your network for these IOCs and take remediation to protect your infrastructure and information.


Behaviour report

e85230a1b9b9c364056b1a2674cb85304cceb0769c6897a45ee498984973da8c

1bceb4e84115eabb8bf3df704b5cc014834ca08b126451ae95d60a968e66d666





182 views0 comments