CyberWire Daily - A popular malware scheme and pay-per-install services. [Research Saturday]
Episode Date: April 2, 2022Guest Michael DeBolt from Intel 471 joins Dave Bittner on this episode to discuss one of the most popular commodity malware loaders on the underground – PrivateLoader. The blog provides an analysis ...of campaigns since May 2021, full details on a Pay-per-install (PPI) malware service, the methods operators employ to obtain “installs,” and insights on the malware families the service delivers. On Intel 471's blog, it shows the breakdown of how the PrivateLoader download is delivered and how it works. The blog states "Visitors are lured into clicking a “Download Crack” or “Download Now” button to obtain an allegedly cracked version of the software." Michael explains more about this popular commodity malware loader. The research can be found here: PrivateLoader: The first step in many malware schemes Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. data products platform comes in. With Domo, you can channel AI and data into innovative uses that
deliver measurable impact. Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided apps tailored to
your role. Data is hard. Domo is easy. Learn more at ai.domo.com.
That's ai.domo.com.
Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation
with researchers and analysts tracking down threats and vulnerabilities, solving some of
the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.
We started looking at private loader back in August timeframe, 2021.
We actually coined the name based on a text string we found in one of the first binaries
the team was ripping apart that contained the word Private Loader in one of the file directory paths.
That's Michael DeBolt. He's Chief Intelligence Officer at Intel 471.
The research we're discussing today is titled Private Loader,
the first step in many malware schemes.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface, making apps and IPs invisible,
eliminating lateral movement, connecting users only to specific apps, not the entire network.
Continuously verifying every request based on identity and context.
Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
And since then, we've really just been tracking the evolution of the loader itself and the unidentified PPI service, which is a pay-per-install service that is connected to this private loader piece of malware.
So the diversification of the different kind of malware that this thing is deploying and just the geographic spread of where we're seeing these victims has been quite something to track over the past few months.
where we're seeing these victims has been quite something to track over the past few months.
Can you help us understand what we're talking about when we say pay-per-install malware services?
What exactly does that represent?
Yeah, so let's take a step back.
Private Loader is a type of loader malware.
Sometimes we call this a dropper malware.
And its primary purpose is to install other malware payloads onto victim machines so those other malware payloads could be anything from remote back doors to banking trojans information
stealers we've even seen ransomware at times so this private loader malware is connected to a
paper install service which we've actually on interestingly enough haven't been able to connect
the private loader malware to any to a known service in the underground.
We can touch on that if you want.
But PPI services have been around for a very, very long time.
They're typically advertised in underground forums, and they offer the convenience of outsourcing the distribution of malware in a very reliable and affordable way.
So operators behind PPI services, they basically earn money by accumulating infected hosts, and we call those installs, and spreading malware samples supplied by paying clients.
So clients can come in.
They typically select which installs they want based on the number of installs,
based on geographic location, and the number of other variables.
And like other enabling services that we see, like Bulletproof Hosting, for instance,
PPI services are really important for the cybercrime ecosystem because if you think about it over the years, us as security professionals, we've kind of made things increasingly harder and more difficult for malware operators to actually get their malware onto victims' machines.
So these dedicated services, they offer a great way for actors to offload this burden so they can focus their time and energy on the actual profits from their payloads, whatever that might be.
Right. Now, the folks who are offering up these paper install services, I mean,
do they have a collection of systems out there that they've already penetrated
and are just waiting for them to pull the trigger and put your malware on there today?
They do have an inventory of pre-infected installs that are sort of ready-made and off
the shelf you can get.
So the private loader malware is distributed through a network of fake websites that lure
unsuspecting visitors to download cracked or pirated software.
And the theme of the day for
this group in particular is mostly around antivirus programs or privacy tools. So they use websites
that have search engine optimization or SEO to appear at the top of the results page whenever
users search for words like cracked program or cracked download or something similar.
Visitor goes to one of those websites,
they click on a download link,
the embedded JavaScript makes a few redirects
and eventually downloads this private loader payload
from one of the backend servers that the operators manage.
And that's typically in the form of a password-protected zip file.
So then it gets onto the victim's machine
and the loader malware is either installed by itself
or it may come with another payload from, say, a client who paid for that install.
Hey, I want to drop also an information stealer or a banking trojan or even another loader like smoke loader, which is actually quite common in this case. And then, like you said, from there, once private loader is installed on the victim's
machine, that victim becomes part of, we'll just call it the PPI services inventory. And then the
actors can manage it. They log into a web panel, kind of an administration panel where it's
basically a portal where clients can log in, they can manage their installs, they can upload their
malware to be encrypted and delivered. There's the statistics page. It's actually quite professionalized and quite common
to see this in the PPI space. Do you have any sense for how much churn they have? In other words,
you know, they prepare a system to later have something dropped on it. Do we have any
idea for how persistent they're able to be? How long they're
able to stay on those systems or are they noisy enough that they're getting detected and kicked
out? Yeah, I don't have any statistics to back any of this up, but I would say this is more of
a quantity game than a quality game, if that makes any sense. I mean, this is more about accumulating as many installs as
possible to give your clients, in this case, malware operators that want to deploy their
malware, as many options as possible around the world for them to choose which installs that they
want to deploy their malware to at any given time. So I'd say the churn is pretty heavy. I mean, you're talking about, you know, the vast majority of what is deployed through these PPI services are highly
commoditized malware. So the blocking and tackling of those particular types of malware is a little
bit easier than, say, nation state curated malware, where it becomes a little bit more challenging to identify and block
those attacks. So I'd say the churn is a little bit more for PPI services to try to keep up their
inventory. But I mean, we're talking about many, many, many installs at any given time. They can
withstand churn, if you will. I see. One of the things that you all have tracked here in your research are the various malware families that get dropped here.
Can you give us a little description of what's going on and what this indicates to you?
It's interesting because on its face, there's nothing really that sets this PPI service apart from other similar services.
In fact, most of the activity, and you'll see this in our blog,
with the delivery mechanisms and the commodity malware
that we're seeing it drop is kind of low to mid-level stuff.
But one notable thing that did catch our attention
and we noticed this in our blog as well
is that Private Loader was used to drop some high level um high profile malware including drydex and trick bot and a
couple others in a very short time window so that's interesting we don't know yet if this
indicates any sort of um formal partnership between the pPI service provider and those more sophisticated crews.
It could be some sort of affiliate arrangement, or it could be that these crews are simply testing
this new private loader PPI service as a new delivery mechanism. But it's definitely something
to keep an eye on. As it would indicate early indication, I would say, that this service is operating at a higher echelon of reputation and credibility by working with those more sophisticated malware families.
You also noted that Private Loader embeds a region code in its communications with its C2 server.
What does that represent in your estimation?
Sure. It's just another way for these PPI service providers
to sort of categorize and offer clients who are coming in
to select their installs another factor,
another variable to which they can select installs
that cater to the
different types of malware that they're using. So say, for instance, I'm a malware operator and I
want to target banks within a certain region. I'm going to select installs within that region that
I know victims are logging into a certain bank or a set of banks within that region that my malware is catered to, say, steal their login credentials, for instance.
So it's just another way for PPI services to offer that as another feature within their service that actors can leverage for more targeted geographic attacks.
Do you have anything that indicates any sort of, you know, with any
confidence, any attribution of who's behind this? Yeah, so that's the tricky part, right? Attribution
is always the hardest thing to accomplish whenever we're doing cybercrime research.
And I always like to say, just as a side note, we don't do attribution for attribution's sake. We want to do attribution to know who the actors are behind whatever the threat is so that we can establish a pattern of how are they acting, what are the TTPs that we're likely to see.
and over again. Well, if you're chasing the brand names, it's harder to understand the TTBs if you feel like you're starting over from square one each time. Well, in reality, some of these actors
are just rebranding. They're the same actors doing the same stuff. They're just rebranding. So
that's just kind of a side note around attribution. We do have some, as it relates to this,
I mean, we do have some indication of some of the actors that might be involved in developing this private loader malware and, in a sense, also connected with the unknown PPI service.
I don't want to go too much into that right now just because it's kind of based on some sensitive methods that we're using and sources that we have.
sensitive methods that we're using and sources that we have. But I will say that we do,
in all likelihood, expect that this PPI service will probably announce itself in the near time within the underground forums that we commonly see announce similar services.
Now, you point out that the most common payload you saw pushed by Private Loader was
something called Smoke Loader.
Anything noteworthy there? Yeah, I mean, Loader pushing another Loader, right? I mean, that's
kind of what we're seeing here. You know, we've been tracking Smoke Loader for a long time. It's
been on the scene since, I think, since at least 2011, if I'm not mistaken, it offers another layer of capability for actors who are using perhaps private loader for the initial delivery mechanism, but then landing SmokeLoader on an install.
And SmokeLoader is very modular. So it has, in addition to its loading capabilities, it also has a number of different functionality that can be added on, password stealing.
number of different functionality that can be added on, password stealing. It could even do DDoS, cryptocurrency mining. So it's very flexible and it can be very persistent. So it's really no
surprise to us to see that at the top of the list as the kind of the top malware family that we're
seeing pushed through this private loader malware. You know, typically I will, you know, ask my guests what their recommendations are for
people to protect themselves against this thing. But I guess it's fair to say number one is don't
download cracked software. Yeah, I think that's a pretty glaring takeaway here.
Yeah, I think you're right.
I mean, these are pretty straightforward security operations,
tracking commodity malware.
The biggest thing is you want to protect against,
this is going to sound real obvious, right?
But you want to protect against being a victim of a PPI installation.
You don't want any of your employee workstations to become part of this inventory that bad guys
can pick and choose from to deploy whatever
malware they want to.
It requires regularly
monitoring the underground
for these new PPI services and the
associated loader malware
that's connected to them.
You understand their backend infrastructure, the delivery
mechanisms. Like you said, searching for or installing crack software, that's a big no-no.
So maybe we can use that as employee awareness and training material to get them to understand
the actual ramifications of what they're doing. Right, right. If you find yourself at the point
where you feel like you need to buy cracked antivirus software,
please speak to the security team and we will do our best to get that funded for you.
Yeah, exactly. And it's interesting because we're seeing, you know, with the whole COVID
pandemic thing over the past two or three years or whatever it is now, we've seen with the,
you know, remote working, you know, everybody, you, everybody going home and working and bringing your own device and all this stuff.
I mean, it's not out of the realm of increased possibility and probability that you would see employees, well-intentioned employees trying to secure their home laptop, right?
And going out and doing it on their own.
So it's definitely something to keep in mind.
Our thanks to Michael DeBolt from Intel 471 for joining us.
The research is titled Private Loader, the first step in many malware schemes.
We'll have a link in the show notes.
And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home? Black Cloak's award
winning digital executive protection platform secures their personal devices,
home networks, and connected lives. Because when executives are compromised at home, your company is at risk. In fact, over one-third of new members discover they've already been
breached. Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io
The Cyber Wire Research Saturday
is proudly produced in Maryland out of the
startup studios of DataTribe, where
they're co-building the next generation of
cybersecurity teams and technologies.
Our amazing Cyber Wire team
is Liz Ervin, Elliot Peltzman,
Trey Hester, Brandon Karp, Eliana
White, Puru Prakash, Justin
Sabey, Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen, Nick Valecki, Gina Johnson, Bennett Moe,
Chris Russell, John Patrick, Jennifer Iben, Rick Howard, Peter Kilpie, and I'm Dave Bittner.
Thanks for listening. We'll see you back here next week. Thank you.