On Tuesday, Intel 471 published a report into PrivateLoader that examines cyberattacks making use of the loader since May 2021. The pay-per-install (PPI) malware service has been in the cybercrime field for a while, but it is unknown who is behind the malware’s development. Loaders are used to deploy additional payloads on a target machine. PrivateLoader is a variant that is offered to criminal customers on an installation basis, in which payment is made based on how many victims they manage to secure. PrivateLoader is controlled through a set of command-and-control (C2) servers and an administrator panel designed with AdminLTE 3. The front-end panel offers functions including adding new users, configuration options to select a payload to install through the loader, target selection for locations and countries, the setup of payload download links, encryption, and selecting browser extensions for compromising target machines. Also: Google Cloud launches agentless cryptojacking malware scanner Distribution of the loader is primarily through cracked software websites. Cracked versions of popular software, sometimes bundled with key generators, are illegal forms of software tampered with to circumvent licensing or payment. Download buttons for cracked software on websites are actually embedded with JavaScript that deploys the payload in a .ZIP archive. In samples collected by the cybersecurity firm, the package contained a malicious executable. This .exe file triggers a range of malware, including a fake GCleaner load reseller, PrivateLoader, and Redline. The PrivateLoader module has been used to execute Smokeloader, Redline, and Vidar since at least May 2021. Out of these malware families, Smokeloader is the most popular. Smokeloader is a separate loader that can also be used for data theft & reconnaissance; Redline specializes in credential theft, whereas Vidar is spyware able to exfiltrate many different data types, including passwords, documents, and digital wallet information. A distribution link for grabbing Smokeloader also hints at a potential connection to the Qbot banking Trojan. PrivateLoader bots have also been used for the distribution of the Kronos banking Trojan and the Dridex botnet. PrivateLoader isn’t specifically tied to the deployment of ransomware, but a loader linked to this malware, dubbed Discoloader, has been used in attacks designed to spread Conti. “PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them a wide array of options to easily achieve their goals,” the researchers say. “By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader.” See also
3D printed guns, underground markets, bomb manuals: police crackdown continues Russian APT Primitive Bear attacks Western government department in Ukraine through job hunt Operation EmailThief: Zero-day XSS vulnerability in Zimbra email platform revealed
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0