A detailed examination of a Pay-per-install (PPI) malware service called PrivateLoader has revealed its crucial role in the delivery of a variety of malware such as SmokeLoader, RedLine Stealer, Vidar, Raccoon, and GCleaner since at least May 2021.
Loaders can be malicious programs that load additional executables on infected machines. With PPI malware services such as PrivateLoader, malware operators pay the service owners to get their payloads “installed” based on the targets provided.
“The accessibility and moderate costs allow malware operators to leverage these services as another weapon for rapid, bulk and geo-targeted malware infections,” cybersecurity firm Intel 471 said in a new report shared with The Hacker News.
PrivateLoader is written in C++ and allows you to find URLs that will allow malicious payloads on infected hosts. The distribution relies on bait sites, which have been designed to show up prominently in search results using search engine poisoning techniques. This method targets users who are looking for pirated software.
The administrative panel of the PPI Service offers many functions. These include adding users and configuring the link to the payload that will be installed. Modifying geolocation targeting according to campaign. Encrypting the loadfile.
Other common payload families pushed by PrivateLoader include a mix of remote access trojans, banking malware, and ransomware like DanaBot, Formbook (aka XLoader), CryptBot, Remcos, NanoCore, TrickBot, Kronos, Dridex, NjRAT, BitRAT, Agent Tesla, and LockBit.
“PPI services have been a pillar of cybercrime for decades,” the researchers said. Criminals will flock to software which offers them many options for achieving their goals, just like the rest of society. “