Malware Services & PrivateLoader

Industry: N/A | Level: Strategic | Source: Intel471

Intel471 provides research on Pay-per-Install (PPI) malware services that are outsourced participants willing to facilitate the "distribution and delivery" of malware. The main method of distribution has been through search engine optimization (SEO) schemes to lure victims seeking pirated software. Intel471 also provides details of an associated PPI program, PrivateLoader detailed as the following "PrivateLoader sits at the front of this operation and communicates with its back-end infrastructure to retrieve URLs for the malicious payloads to “install” on the infected host. As is the case with downloaders tied to PPI services, PrivateLoader communicates a variety of statistics such as which payloads were downloaded and launched successfully." Based on tracking data with unique download hashes, the most popular PPI malware dropped are Smokeloader, Redline and Vidar. Although not desired by PPI operators (due to malware being rendered inoperable) ransomware can be executed from these services. Observed instances with ransomware execution have been connected with banking trojans using ransomware associated with “LockBit and STOP Djvu ransomware families.”