An examination of a pay-per-install loader has highlighted its place in the deployment of popular malware strains, including Smokeloader and Vidar.
On Tuesday, Intel 471 published a report into PrivateLoader that examines cyberattacks making use of the loader since May 2021. The pay-per-install (PPI) malware service has been in the cybercrime field for a while, but it is unknown who is behind the malware’s development.
Loaders are used to deploy additional payloads on a target machine. PrivateLoader is a variant that is offered to criminal customers on an installation basis, in which payment is made based on how many victims they manage to secure.
PrivateLoader is controlled through a set of command-and-control (C2) servers and an administrator panel designed with AdminLTE 3.
The front-end panel offers functions including adding new users, configuration options to select a payload to install through the loader, target selection for locations and countries, the setup of payload download links, encryption, and selecting browser extensions for compromising target machines.
Also: Google Cloud launches agentless cryptojacking malware scanner
Distribution of the loader is primarily through cracked software websites. Cracked versions of popular software, sometimes bundled with key generators, are illegal forms of software tampered with to circumvent licensing or payment.
Download buttons for cracked software on websites are actually embedded with JavaScript that deploys the payload in a .ZIP archive.
In samples collected by the cybersecurity firm, the package contained a malicious executable. This .exe file triggers a range of malware, including a fake GCleaner load reseller, PrivateLoader, and Redline.
The PrivateLoader module has been used to execute Smokeloader, Redline, and Vidar since at least May 2021. Out of these malware families, Smokeloader is the most popular.
Smokeloader is a separate loader that can also be used for data theft & reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware able to exfiltrate many different data types, including passwords, documents, and digital wallet information.
A distribution link for grabbing Smokeloader also hints at a potential connection to the Qbot banking Trojan. PrivateLoader bots have also been used for the distribution of the Kronos banking Trojan and the Dridex botnet.
PrivateLoader isn’t specifically tied to the deployment of ransomware, but a loader linked to this malware, dubbed Discoloader, has been used in attacks designed to spread Conti.
“PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them a wide array of options to easily achieve their goals,” the researchers say. “By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader.”
See also
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0