Researchers found a link between a Pay-Per-Install (PPI) malware service PrivateLoader with another PPI platform offered by a cybercriminal known as ruzki. While PrivateLoader was first documented in February this year, researchers believe that it has been in use since at least May 2021.

Diving into details

  • Upon tracking PrivateLoader’s network infrastructure and activities associated with ruzki PPI, SEKOIA researchers observed an overlap between the former’s C2 servers and the latter’s URLs offered to subscribers.
  • PrivateLoader botnet samples, which were used to deploy Redline Stealer, contained references to ruzki, such as 3108_RUZKI and ruzki9.
  • Both the services commenced in May 2021 and ruzki used the term ‘our loader’ in Russian on its Telegram channel.

Malware propagated by PrivateLoader

The bottom line

PPI services are well-known modes of disseminating commodity malware, thus, increasing the attack surface. While such services are rearing their ugly heads constantly, ruzki and PrivateLoader have been established for over a year now. Furthermore, these services have lowered the barrier to entry into the cybercrime ecosystem. Therefore, researchers anticipate PrivateLoader and similar services gaining more popularity in the future.
Cyware Publisher