This password-stealing Windows malware is distributed via ads in search results

Cybersecurity company Bitdefender has discovered a new form of malware that is delivered to victims via advertisements that appear in search results. Bitdefender states that the malware is being used as a gateway for attackers to steal passwords, deliver additional malware, and install cryptocurrency miners. The malware targets Windows devices and has been named MosiacLoader. The malware has already infected victims across the world as attackers attempt to target as many systems as possible. MosiacLoader can also be used to install a threat called Glupteba onto compromised machines, another type of malware that creates a backdoor into infected systems. According to researchers, this tactic can be used to steal sensitive information such as passwords, usernames, and financial data.

Links to the malware appear at the top of search results when people search for cracked versions of popular software. Automated systems used to buy and serve advertising space likely means that nobody in the chain – aside from the attackers – know the adverts are malicious at all. The security company said that employees working from home are at higher risk of downloading cracked software. Attackers are purchasing adverts with downstream ad networks – small ad networks that funnel ad traffic to larger and larger providers. They usually do this over the weekend when manual ad vetting is impacted by the limited staff on call,” Bogdan Botezatu, director of threat research and reporting at Bitdefender. It’s possible that the malware would be detected by antivirus software, but many users downloading illegally cracked software have likely turned their protections off in order to access and install the download.

“We advise users to never turn off their security solution when it blocks the installation of software downloaded from the internet, as attackers have become adept at bundling legitimate apps with malware,” said Botezatu.