This password-stealing Windows malware is distributed via ads in search results

MosaicLoader can be used to steal passwords, install cryptocurrency miners and deliver trojan malware warn researchers, who say those behind it want to sell access to Windows PCs on to other cyber criminals.

By: Danny Palmer

A newly discovered form of malware delivered to victims via adverts in search results is being used as a gateway to stealing passwords, installing cryptocurrency miners and delivering additional trojan malware.

Detailed by cybersecurity company Bitdefender, the malware – which targets Windows – has been dubbed MosaicLoader and has infected victims around the world as those behind it attempt to compromise as many systems as possible.


MosaicLoader can be used to download a variety of threats onto compromised machines, including Glupteba, a type of malware that creates a backdoor onto infected systems, which can then be used to steal sensitive information, including usernames and passwords, as well as financial information.


Unlike many forms of malware, which get distributed via phishing attacks or unpatched software vulnerabilities, MosaicLoader is delivered to victims via advertising.


Links to the malware appear at the top of search results when people search for cracked versions of popular software. Automated systems used to buy and serve advertising space likely means that nobody in the chain – aside from the attackers – know the adverts are malicious at all.


The security company said that employees working from home are at higher risk of downloading cracked software.

"Most likely, attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call," Bogden Botezatu, director of threat research and reporting at Bitdefender, told ZDNet.


It's possible that the malware would be detected by antivirus software, but many users downloading illegally cracked software have likely turned their protections off in order to access and install the download.


In order to make the download seem as legitimate as possible to the user, the cracked software mimics the file information of the real software, even down to names and descriptions within file folders.


However, all that's downloaded is MosaicLoader, which provides the attackers with access to the machine. Researchers note that attackers try to steal usernames and passwords for online accounts, as well as operate cryptocurrency miners and drop trojan malware, which provide backdoor access to machines.


It's suspected that the aim of this campaign is to eventually sell access to compromised Windows machines – although the fact that additional malware is already being installed suggests the attackers are stealing data for themselves.