PrivateLoader: The first step in many malware schemes

A full technical breakdown of a prolific pay-per-install service.

Feb 08, 2022


Pay-per-install (PPI) malware services have been an integral part of the cybercrime ecosystem for a considerable amount of time. A malware operator provides payment, malicious payloads and targeting information, and those responsible for running the service outsource the distribution and delivery. The accessibility and moderate costs allow malware operators to leverage these services as another weapon for rapid, bulk and geo-targeted malware infections.

By understanding how these services proliferate, defenders can better recognize these campaigns and stop them from wreaking havoc on their organization’s IT stack. This report focuses on the PrivateLoader modular downloader programmed in the C++ programming language connected to an unidentified PPI service. PrivateLoader sits at the front of this operation and communicates with its back-end infrastructure to retrieve URLs for the malicious payloads to “install” on the infected host. As is the case with downloaders tied to PPI services, PrivateLoader communicates a variety of statistics such as which payloads were downloaded and launched successfully.

Distribution campaigns generally rely on a network of search engine optimization (SEO) enhanced websites that lure unsuspecting victims searching for warez aka pirated software to download and execute malware. A password-protected archive typically is delivered that contains a setup file that embeds and executes multiple malicious payloads on the infected host such as GCleaner, PrivateLoader, Raccoon, Redline, Smokeloader and Vidar malware. We assess these campaigns started to incorporate PrivateLoader since at least May 2021.

This report investigates the PPI service behind it and methods operators employ to obtain “installs” and presents details about the malware families the service delivers.

How PrivateLoader works

The service behind this PrivateLoader PPI campaign and its operators are unknown, as it was not possible to connect the downloader to a specific underground PPI service at the time of this report. However, we observed PrivateLoader’s main command and control (C2) servers also host the administration panel, which is based on the AdminLTE 3 dashboard template. The image below shows the authentication page:

Private Loader authentication page
Image 1: This image depicts the PrivateLoader authentication page.

The front-end script, which uses the Javascript library app.js, appears to expose functionalities offered to panel users. The table below describes interesting JavaScript functions in the script:

FUNCTIONDESCRIPTIONENDPOINT AND PARAMETERS
AddNewUserAdds a new user with a specific role.

/base/user_reg.php

  • login: User login.
  • password: User password.
  • role: User role as an integer.
saveUserModifies an existing user.

/base/user_reg.php

  • user_id: User identifier.
  • login: New user login.
  • password: New user password.
  • role: New user role as an integer.
  • banned: Banned status as an integer.
AddNewLinkAdds a loader link configuration to a payload to install.

/base/link_add.php

  • link_url: Download link to the payload to install.
  • link_status: Link status as an integer.
  • link_geo: Targeted geolocation as an integer.
  • link_dmethod: Link distribution method as an integer.
EditStatusLinkUpdates the status of a loader link configuration.

/base/link_edit.php

  • link_id: Loader link identifier.
  • link_status: New status as an integer.
editUrlLinkEdits the URL for a loader link configuration.

/base/link_url_edit.php

  • link_id: Loader link identifier.
  • link_url: Updated download link.
removeLinkRemoves a loader link configuration.

/base/link_del.php

  • link_id: Loader link identifier.

EditGeoLink

EditGeoLinkIdx

Updates the geolocation targeting for a loader link configuration.

/base/link_edit_geo.php

  • link_id: Loader link identifier.
  • link_geo: New targeted geolocation as an integer.
saveLinkInformationModifies an existing loader link configuration.

/base/link_edit_info.php

  • link_id: Loader link identifier.
  • link_url: Download link of the payload.
  • link_status: Status as an integer.
  • link_geo: Targeted geolocation as an integer.
  • link_ftype: Selected category identifier of the payload as an integer.
  • link_countries: Targeted countries as a string.
  • link_arguments: Arguments to pass to the payload as a string.
  • link_onlybytype: Integer that indicates to run the payload only if the category identifier matches.
  • link_subgeo: Subgeolocation as a string.
  • link_dmethod: Link distribution method as an integer.
AddNewExtensionAdds a configuration to a browser extension to install.

/base/extension_add.php

  • extension_url: Download link to the browser extension to install.
  • config_url: Download link to the configuration of the browser extension.
  • ext_status: Extension status as an integer.
  • ext_geo: Targeted geolocation as an integer.
editUrlExtensionEdits the URL for a browser extension configuration.

/base/extension_url_edit.php

  • extension_id: Extension identifier.
  • ext_url: New link to the extension.
  • cfg_url: New link to the extension configuration.
removeExtensionRemoves a browser extension configuration.

/base/extension_del.php

  • ext_id: Extension identifier.
saveExtensionInformationModifies an existing browser extension configuration.

/base/extension_edit_info.php

  • ext_id: Extension identifier.
  • ext_url: Download link of the extension.
  • cfg_url: Download link of the extension configuration.
  • ext_status: Extension status as an integer.
  • ext_geo: Targeted geolocation as an integer.
  • ext_countries: Targeted countries as a string.
LoadFileToEncryptEncrypts a file. Possibly uses the byte substitution and XOR algorithm described in the Malware Report

/base/file_crypt.php


Multipart form POST request with the file to encrypt.

CalculateAllLinksLoadsReturns the number of total and unique installed payloads for all link identifiers.

/base/logger_counter.php

  • ids: All link identifiers.
CalculateCurrentLinksLoadsReturns the number of total and unique installed payloads for a link identifier.

/base/logger_counter.php

  • ids: Single link identifier.

Delivering the PrivateLoader downloader

PrivateLoader is delivered through a network of websites that claim to provide “cracked” software, which is modified versions of popular legitimate applications that people commonly use. These websites are SEO optimized and usually appear at the top of search queries that contain keywords such as “crack” or “crack download,” preceded by the software name.

For example, a search for “Malwarebytes crack” returns the following websites as the fourth and fifth results:

Malwarebytes crack search results
This image depicts “Malwarebytes crack” search results.

Visitors are lured into clicking a “Download Crack” or “Download Now” button to obtain an allegedly cracked version of the software. The JavaScript for the download button is retrieved from a remote server.

Malwarebytes cracked version download option
This image depicts an option to allegedly download a cracked version of the software.

After a few redirections, the final payload is served to the user as a password-protected compressed (.zip) archive. The screenshot below shows the actual download page:

Cracked version download page
This image depicts the download page.

In our example, the archive served was named “PASSWORD_IS_324325____Malwarebytes-Pr.zip.” It contained a Nullsoft Scriptable Install System (NSIS) installer named “setup_x86_x64_install.exe,” which embeds and executes numerous malicious payloads such as GCleaner, PrivateLoader and Redline.

Researchers from SophosLabs previously investigated this delivery network and tied some of its infrastructure to the InstallUSD PPI service.

Malware families dropped

Automated malware coverage and tracking for PrivateLoader started in early September 2021. We have since gathered sizable amounts of data that helped us learn more about the service.

The following chart shows the number of unique hashes downloaded by PrivateLoader for each malware family our Malware Intelligence systems detected. The most popular families this PPI service distributed in descending order were Smokeloader, Redline and Vidar:

Hashes Malware Family 02 Feb2022
This chart shows the number of unique hashes downloaded by PrivateLoader for each malware family our Malware Intelligence systems detected.

Each PrivateLoader sample embeds a region code that is communicated to the C2 server and country of the bot. The chart below depicts the number of unique hashes downloaded per region code in the duration of coverage. We believe the “WW” prefix in these region codes stands for “worldwide,” since it was most commonly found in samples. On the panel side, we suspect this code represents the “link_geoparameter described in the previous table.

Hashes Region Code 02 Feb2022
This chart depicts the number of unique hashes downloaded per region code.

However, we observe a different distribution when querying the number of unique hashes by bots’ country codes (see: chart below). This is expected since popular worldwide region codes encapsulate multiple countries.

Hashes Country Code 02 Feb2022
This chart depicts the number of unique hashes downloaded per country code.

Smokeloader

Of the payloads we saw pushed by PrivateLoader, the most common was Smokeloader. The following chart shows the extracted affiliate IDs (or lack thereof) from all unique Smokeloader samples detected by our Malware Intelligence systems:

Smokeloader I Ds 02 Feb2022
This chart shows the percentage of extracted affiliate IDs from all unique Smokeloader samples detected by our Malware Intelligence systems.

The top 10 detected domains used to deliver Smokeloader included:

HOST NAMEUNIQUE SAMPLES DOWNLOADED
privacytoolz123foryou[.]top321
threesmallhills[.]com296
privacy-toolz-for-you-5000[.]top264
privacytoolzforyou-7000[.]top231
privacytoolzforyou-7000[.]com212
privacytoolzforyou7000[.]top200
privacytoolzforyou-6000[.]top179
privacy-toolz-for-you-403[.]top177
privacy-tools-for-you-777[.]com150
privacytoolzforyou6000[.]top136

It’s apparent the operators running the “Privacy tools” domains heavily rely on PrivateLoader to deliver Smokeloader. An inspection of active distribution URLs showed these domains host a website that claims to offer “Privacy Tools.” This website likely is spoofing the real PrivacyTools[.]io website run by volunteers who advocate for data privacy.

Spoof Privacy Tools website
This image depicts the landing page of one of the “Privacy tools” domains.

These websites host Smokeloader payloads as part of three categories named “pab1”, “pab2” and “pab3”. These are not necessarily linked to the analogous “pub*” affiliate IDs, since we have seen some “pab2” payloads with the “555” affiliate ID. While tracking PrivateLoader, we only received links to download the “pab2” payloads from these websites. It is likely these operators use other methods or PPI services to distribute the Smokeloader family.

On Oct. 22, 2021, a “pab2” Smokeloader sample downloaded by PrivateLoader from one of these websites delivered the Qbot banking trojan. This is an unusual distribution method for Qbot and revealed the new botnet ID star01.

Banking trojans

There are other actors throughout the underground that leverage PrivateLoader for banking trojan distribution.

On Oct. 31, 2021, PrivateLoader bots connecting from European countries were instructed to download and execute the Kronos banking trojan from the following URL:

hxxp://2.56.59[.]42/EU/Yandex1500[.]exe

The downloaded sample also executed the Vidar information stealer. The download and execute commands for this sample stopped the following day.

On Nov. 1, 2021, PrivateLoader bots downloaded Dridex samples tied to the 10444 botnet, and Danabot with the affiliate identifier 40. The same day, bots also downloaded Trickbot samples with the group tags (gtags) lip*, tot* and top*. In all cases, the delivered samples embedded other malware families such as other banking trojans, information stealers or ransomware.

SAMPLE HASHMALWARE FAMILIESFIRST SEEN (UTC)LAST SEEN (UTC)OTHER DETECTED FAMILIES
14e7cc2eadc7c9bac1930f37e25303212c8974674b21ed052a483727836a5e43Trickbot: top1422021-11-01
17:19:30
2021-11-01
18:39:25

Nanocore RAT

Smokeloader

Redline

4554dc95f99d6682595812b677fb131a7e7c51a71daf461a57a57a0d903bb3fa

Trickbot: tot160

Trickbot: top141

Dridex: 10444

2021-11-01
11:20:11
2021-11-02
07:17:40

Tofsee

Redline

4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff

Trickbot: lip143

Trickbot: top142

2021-11-01
17:27:39
2021-11-02
07:46:21

njRAT

STOP Djvu

Redline

Vidar

5adbe8d0375d6531f1a523085f4df4151ad1bd7ae539692e2caa3d0d73301293

Trickbot: lip142

Dridex: 10444

2021-11-01
15:56:02
2021-11-02
02:03:00

Remcos

Tofsee

6abbd89e6ab5e1b63c38a8f78271a97d19bafff4959ea9d5bd5da3b185eb61e6Trickbot: top1412021-11-01
12:51:32
2021-11-02
02:02:59
Redline
929a591331bdc1972357059d451a651d575166f676ea51daaeb358aa2a1064b7Dridex: 104442021-11-01
17:29:03
2021-11-01
18:41:08

Smokeloader

Redline

aae0553b761e8bb3e58902a46cd98ee68310252734d1f8d9fd3b862aab8ed5c9Trickbot: lip1422021-11-01
16:14:42
2021-11-02
16:54:50
Redline
bf7b5f72b2055cfc8da01bb48cf5ae8e45e523860e0b23a65b9f14dbdbb7f4ee

Trickbot: lip141

Trickbot: top141

Trickbot: top142

Dridex: 10444

Danabot: affid 40

2021-11-01
11:14:58
2021-11-01
18:41:14

Redline

QuasarRAT

eef15f6416f756693cbfbfd8650ccb665771b54b4cc31cb09aeea0d13ec640cf

Trickbot: lip141

Trickbot: lip142

Trickbot: lip143

Trickbot: top141

2021-11-01
15:01:07
2021-11-02
02:03:33

Smokeloader

Lockbit

Redline

f9246be51464e71ff6b37975cd44359e8576f2bf03cb4028e536d7cfde3508fc

Trickbot: lip141

Trickbot: lip142

2021-11-01
15:09:14
2021-11-02
07:17:30
Redline
fcc49c9be5591f241ffd98db0752cb9e20a97e881969537fba5c513adbd72814

Trickbot: lip142

Dridex: 10444

2021-11-01
17:27:43
2021-11-01
18:41:04
Redline

The sample with the hash 929a591331bdc1972357059d451a651d575166f676ea51daaeb358aa2a1064b7 that embedded both Dridex and Smokeloader was downloaded from the following URL:

hxxp://privacytoolzfor-you6000[.]top/downloads/toolspab2.exe

In the previous subsection, we linked the “Privacy tools” websites to Smokeloader operators. It is unclear whether the operators behind these websites operated the Dridex 10444 botnet or only acted as a link in the delivery chain. However, we can assume the “Privacy tools” website was used for distribution since the same Dridex botnet identifier and controllers were seen across different hashes and delivery URLs during this period.

Seeing downloads for Danabot, Dridex, Kronos and Trickbot for the first time within the same time frame hardly can be regarded as a coincidence. Moreover, these trojans often were bundled with each other. Therefore, we assess a single entity likely operating these specific botnets was using the PrivateLoader PPI service at the time.

On Nov. 14, 2021, PrivateLoader bots started to download samples of the Danabot banking trojan with the affiliate ID 4 for a single day.

Based on these short outbursts that lasted no more than a day, we suspect the banking trojan operators were experimenting with this PPI service as another delivery mechanism for their malware.

Ransomware

Underground PPI services generally advise against deploying ransomware on target machines since it renders them unusable. However, cybercriminals have a reputation of not adhering to rules and deploy ransomware anyway.

The only time in which we detected ransomware samples downloaded by PrivateLoader was when it dropped banking trojans in early November 2021. The table in the previous subsection showed downloads for the LockBit and STOP Djvu ransomware families.

While analyzing payloads downloaded by PrivateLoader, we identified a new loader we dubbed Discoloader. Discoloader was written using the .NET framework and uses the Discord content delivery network (CDN) to host its payload. Although not directly from PrivateLoader, we observed samples of this family delivering Conti ransomware directly into infected hosts, which is an uncharacteristic delivery mechanism since this family typically only is deployed after total compromise of enterprise networks.

Conclusion

PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them a wide array of options to easily achieve their goals. As we have detailed, criminals have used PrivateLoader to launch all kinds of schemes. By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader.

MITRE ATT&CK techniques

This report uses the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework.

TECHNIQUE TITLEIDUSE
Resource Development [TA0042]
Stage Capabilities: Upload MalwareT1608.001

PrivateLoader often hosts malicious payloads on the Discord CDN.

We observed recent controllers downloading attachments from just the 891006172130345095, 905701898806493199 and 896617596772839426 IDs.

Persistence [TA0003]
Create or Modify System Process: Windows ServiceT1543.003

PrivateLoader can be persisted as a startup service and is installed with the following attributes:

  • Service name: PowerControl.
  • Service display name: "Power monitoring service for your device."
  • Service start type: At system startup.
  • Service binary path: C:\Program Files. (x86)\PowerControl\PowerControl_Svc.exe.
Scheduled Task/Job: Scheduled TaskT1053.005The PrivateLoader service module always persists as a scheduled task that executes every hour. It also can be persisted as a logon scheduled task when a Windows service is not used.
Browser ExtensionsT1176PrivateLoader can download and silently install malicious browser extensions on Google Chrome and Microsoft Edge browsers.
Privilege Escalation [TA0004]
Abuse Elevation Control Mechanism: Bypass User Account ControlT1548.002The PrivateLoader core module uses a Windows 10 user account control (UAC) bypass technique to elevate privileges. The bypass uses a widely documented technique involving the ComputerDefaults.exe system executable (.exe) file, which has the auto-elevate option set.