Pay-per-install services are used in the cybercrime underground to monetize the installation of malware on computers. Cybercriminals who have the capability to build a network of infected computers then sell access to those computers. That cybercriminal might do it all by themself or join a PPI criminal organization as an affiliate.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
People who buy access to networks of infected computers do it for different purposes, such as running DDoS operations, cryptocurrency miners or getting useful information for financial fraud.
How does PrivateLoader work?
PPI operators monitor the number of installations, the locations of the infected machines and information on computer software specifications. To achieve this, they generally use loaders during the infection, which allows tracking but also enables the management of additional payloads to be pushed on the infected devices. This is where PrivateLoader comes in, as reported by Sekoia.
PrivateLoader is one of the most prevalent loaders used by cybercriminals in 2022. It is widely used as part of PPI service, enabling the delivery of multiple different malware families operated by several cybercriminals.
The malware is a modular loader written in the C++ programming language. It exhibits three different modules: The core module is responsible for obfuscation, infected host fingerprinting and anti-analysis techniques; a second module is responsible for contacting the command and control server, in order to download and execute additional payloads; and a third module is responsible for ensuring persistence.
Communications between the infected computer and the C2 are obfuscated using simple algorithms like byte substitution and single byte XOR operation. The loader first reaches obfuscated hardcoded URLs in its code, then requests the URLs obtained to reach the C2 server. That server in turn provides a URL to the final payload. The final location of the payloads has changed through the year according to Sekoia researchers, shifting from Discord to VK.com or custom URLs (FigureA).
Figure A
Sekoia researchers discovered four different active C2 servers operated by the PPI service, two of them hosted in Russia with the other two in the Czech Republic and Germany. The researchers have found over 30 unique C2 servers, likely closed once detected by security vendors.
What payloads are distributed?
Last week’s PrivateLoader campaigns distributed these malware types:
- Information stealers: Redline, Vidar, Racoon, Eternity, Socelars, FAbookie, YTStealer, AgentTesla, Phoenix and more
- Ransomware: Djvu
- Botnets: Danabot and SmokeLoader
- Cryptocurrency miners: XMRig and more
- Commodity malware: DcRAT, Glupteba, Netsupport and Nymaim
It is interesting to note that some of those information stealers are some of the most used by traffers, as reported earlier. The researchers suggest that while most PPI services use their own traffic distribution network, some probably purchase traffic generation services such as those offered by traffers teams.
Who is Ruzki PPI?
Sekoia’s investigations led to associate the usage of PrivateLoader with one particular group of Russian-speaking cybercriminals PPI dubbed “ruzki,” also known as “lesOk” or “zhigalsz.” (Figure B).
Figure B
Ruzki’s PPI service sells bundles of thousand installations located on compromised systems all across the world.
The prices provided in September 2022 ranged from $70 UD for a mix of installs all over the world to $1,000 for U.S.-based installs.
The threat actor also might sell those installs to several customers at the same time or sell exclusive access at higher price.
The service offered up to 20,000 installations per day at its launch, yet no recent data could be found on their capability. May 2021 revealed the implication of 800 webmasters leveraging multiple infection chains, according to Sekoia, who also suspects one or more traffers team behind those webmasters.
Ruzki owns PrivateLoader
Conversations observed on social networks by Ruzki services subscribers revealed a URL provided by the PPI service which perfectly matched those of PrivateLoader C2 server. In addition, IP addresses mentioned by Ruzki customers have been categorized as PrivateLoader C2 by the researchers.
Additionally, multiple PrivateLoader instances downloaded the RedLine malware as the final payload. The majority of those RedLine samples contained direct references to ruzki such as “ruzki,” “ruzki9” or “3108_RUZKI.” Finally, Sekoia identified a single botnet associated with all the PrivateLoader C2 servers.
Seeing all these links between Ruzki and PrivateLoader usage, the researchers assessed with high confidence that “PrivateLoader is the proprietary loader of the ruzki PPI malware service.”
How can organizations protect themselves from this threat?
PPI services are based on infecting computers with malware. Different operators running those services have different ways to infect computers, but one of the most used techniques is via networks of websites claiming to offer “cracks” for various attractive software. It might also be spread via direct downloads of attractive software on peer-to-peer networks. Users should therefore be strongly encouraged to never download any illegal software and in particular not run any executable file related to cracking activities.
It is also strongly advised to always have operating systems and all software up to date and patched, in order to avoid being compromised by common vulnerabilities. Multi-factor authentication must be enforced on all internet-facing services so that an attacker in possession of valid credentials cannot simply log in and impersonate a user.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.