Researchers found a link between a Pay-Per-Install (PPI) malware service PrivateLoader with another PPI platform offered by a cybercriminal known as ruzki. While PrivateLoader was first documented in February this year, researchers believe that it has been in use since at least May 2021.
Diving into details
- Upon tracking PrivateLoader’s network infrastructure and activities associated with ruzki PPI, SEKOIA researchers observed an overlap between the former’s C2 servers and the latter’s URLs offered to subscribers.
- PrivateLoader botnet samples, which were used to deploy Redline Stealer, contained references to ruzki, such as 3108_RUZKI and ruzki9.
- Both the services commenced in May 2021 and ruzki used the term ‘our loader’ in Russian on its Telegram channel.
Malware propagated by PrivateLoader
- Redline, Raccoon Stealer, Vidar, YTStealer, AgentTesla, Phoenix, Eternity, and other infostealers
- The Djvu ransomware
- DanaBot and SmokeLoader
- XMRig cryptominer and other uncategorized miners
- Other commodity malware, including DcRAT, Netsupport, Glupteba, and Nymaim.
The bottom line
PPI services are well-known modes of disseminating commodity malware, thus, increasing the attack surface. While such services are rearing their ugly heads constantly, ruzki and PrivateLoader have been established for over a year now. Furthermore, these services have lowered the barrier to entry into the cybercrime ecosystem. Therefore, researchers anticipate PrivateLoader and similar services gaining more popularity in the future.
Publisher
/https://cyware-ent.s3.amazonaws.com/image_bank/shutterstock_103655729.jpg)
/https://cyware-ent.s3.amazonaws.com/image_bank/1dfe_shutterstock_2186160297.jpg)
