Several Malware Use A Pay-Per-Install Service To Expand Their Target Base.

Since at least May 2021, a detailed investigation of a Pay-per-install (PPI) malware service named PrivateLoader has exposed its critical involvement in the propagation of malware including SmokeLoader, RedLine Stealer, Vidar, Raccoon, and GCleaner.

Loaders are malicious applications that load other executables into the compromised computer. Malware operators pay the operators of PPI malware services like PrivateLoader to have their payloads “loaded” based on the targets specified.

PrivateLoader is a C++ programme that retrieves URLs for malicious payloads to be deployed on the infected host. The payloads are distributed through a network of bait websites that have been rigged to appear prominently in search results via search engine optimization (SEO) poisoning methods targeting users looking for pirated software.

Adding new users, configuring a URL to the payload to be installed, adjusting geographical targeting based on the campaign, and even encrypting the load file are all available through the PPI service’s administrator panel.

Finally the researchers concluded , “PPI services have been a pillar of cybercrime for decades.” “Criminals, like the rest of the public, will gravitate to software that gives them a variety of options for accomplishing their objectives quickly.”

SAMPLE HASHMALWARE FAMILIESFIRST SEEN (UTC)LAST SEEN (UTC)OTHER DETECTED FAMILIES
14e7cc2eadc7c9bac1930f37e25303212c8974674b21ed052a483727836a5e43Trickbot: top1422021-11-01
17:19:30
2021-11-01
18:39:25
Nanocore RATSmokeloaderRedline
4554dc95f99d6682595812b677fb131a7e7c51a71daf461a57a57a0d903bb3faTrickbot: 
4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ffTrickbot: lip143Trickbot: top1422021-11-01
17:27:39
2021-11-02
07:46:21
njRATSTOP DjvuRedlineVidar
5adbe8d0375d6531f1a523085f4df4151ad1bd7ae539692e2caa3d0d73301293Trickbot: lip142Dridex: 104442021-11-01
15:56:02
2021-11-02
02:03:00
RemcosTofsee
6abbd89e6ab5e1b63c38a8f78271a97d19bafff4959ea9d5bd5da3b185eb61e6Trickbot: top1412021-11-01
12:51:32
2021-11-02
02:02:59
Redline
929a591331bdc1972357059d451a651d575166f676ea51daaeb358aa2a1064b7Dridex: 104442021-11-01
17:29:03
2021-11-01
18:41:08
SmokeloaderRedline
aae0553b761e8bb3e58902a46cd98ee68310252734d1f8d9fd3b862aab8ed5c9Trickbot: lip1422021-11-01
16:14:42
2021-11-02
16:54:50
Redline
bf7b5f72b2055cfc8da01bb48cf5ae8e45e523860e0b23a65b9f14dbdbb7f4eeTrickbot: lip141Trickbot: top141Trickbot: top142Dridex: 10444Danabot: affid 402021-11-01
11:14:58
2021-11-01
18:41:14
RedlineQuasarRAT
eef15f6416f756693cbfbfd8650ccb665771b54b4cc31cb09aeea0d13ec640cfTrickbot: lip141Trickbot: lip142Trickbot: lip143Trickbot: top1412021-11-01
15:01:07
2021-11-02
02:03:33
SmokeloaderLockbitRedline
f9246be51464e71ff6b37975cd44359e8576f2bf03cb4028e536d7cfde3508fcTrickbot: lip141Trickbot: lip1422021-11-01
15:09:14
2021-11-02
07:17:30
Redline
fcc49c9be5591f241ffd98db0752cb9e20a97e881969537fba5c513adbd72814Trickbot: lip142Dridex: 104442021-11-01
17:27:43
2021-11-01
18:41:04

–-For more Cyber security news in crisp content . Please follow our site via twitter handle @cyberworkx1, Linkedin handle @linkedin

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s