Posted on February 9, 2022 at 6:02 PM
Several Malware Families Are Using Pay-Per-Install Services To Launch Attacks
Intel 471 recently published a report after examining Pay-Per-Install (PPI) malware service known as PrivateLoader. The study revealed that the PrivateLoader plays an important role in the delivery of a wider range of malware such as Raccoon, Vidar, Stealer, Redline, GCleaner, and Smokeloader since May 2021.
Although the PPI malware service has been in the cybercrime field for a while, it is not known who is behind its development.
Loaders are used by threat actors to send more payloads to a targeted machine while PrivateLoader is a variant that is sold to hackers or bad actors on an installation basis. In this case, the payment for the payload is determined by the many victims they were able to successfully infiltrate.
PrivateLoader is controlled by a set of command-and-control (C2) servers as well as an administrator panel that carries AdminLTE3. The pay-per-install malware is known as one of the most popular loaders on the market today. Security researchers have seen that the loader is increasingly getting installed and deployed by threat actors.
The Malware Is Distributed Via Cracked Software Updates
Its front-end panel offers functions like configuration options and a function to add new users. It also includes encryption, the setup of payload download links, as well as target selection for the country and geographical location.
The malware is distributed basically through Cracked software websites, which are illegal forms of software that are tampered with to avoid payment or licensing. Generally, a JavaScript that deploys the payload in a .ZIP archive is used to embed the download buttons on the software on the sites.
The Intel 471 cybersecurity firm collected samples from the package. According to the report, the package contains a malicious executable .exe file. This triggers a wide range of malware such as Redline, PrivateLoader, and GCleaner load reseller.
According to the cybersecurity firm, the PrivateLoader module has been used to execute Vidar, Redline, and Smokeloader since May last year. However, Smokeloader has proven to e the most popular of these malware families.
Smokeloader is a distinct loader that can be utilized for reconnaissance and data theft, while Vidar is generally used by threat actors to exfiltrate different types of data, including digital wallet information, documents, as well as passwords. On the other hand, Redline is used for credential theft.
The PrivateLoader Offers Versatility To Threat Actors
PrivateLoader bots have been connected to the distribution of the Dridex botnet and the Kronos banking trojan.
However, the loader is not used directly in the deployment of malware. Instead, it is a means by which threat actors have the space to spread malware designed to plant Conti, according to the researchers.
Threat actors are always looking for software that gives them a wide range of options when launching attacks. And PPI services have proven to be very useful for cybercriminals for several years. The versatile nature of the malware makes it a likable option for cybercriminals looking to explore as many attacking options they will have.
As a result, the researchers say it’s important to highlight the versatility of the malware to create more awareness. It will allow malware defenders to set up and develop strong strategies that can thwart malware attacks that are empowered by PrivateLoader.
The Operators Rely Heavily On PayLoader
The researchers noted they started automating malware coverage and tracking in September last year. They have since gathered a considerable amount of data that has enabled them to learn more about the service.
They also presented their discovery in a chart, showing the number of unique hashes the PrivateLoader has downloaded for each malware family. Each of the PrivateLoader samples plants a region code that is transferred to the C2 server and country of the bot.
The side panel of the sample shows the “link_goe” parameter, which shows the number of unique hashes downloaded per region. But there is a different distribution when the number of unique hashes is searched by the bots’ country codes.
The researchers also indicated that the operators that run the “Privacy Tools” depend massively on PrivateLoader to deliver SmokeLoader. Based on the research and analysis carried out, the domains host a website that purportedly offers “ Privacy Tools.”
The site spoofs the real PrivacyTools website operated by volunteers of data privacy. It is also likely that the threat actors utilize other PPI services or methods to distribute the SmokeLoader family malware, according to the researchers. The sample downloaded by PrivateLoader has also been discovered delivering the Qbot banking Trojan.
