Malware families are offering services like PrivateLoader as a Pay Per Install Service to expand their target. This is instrumental in the delivery of a range of malware such as SmokeLoader, RedLine Stealer, Vidar, Raccoon, and GCleaner since at least May 2021.
The Loaders are used by bad actors to load additional executables to infect machines. PrivateLoader is a PPI malware service offered to malware operators to get their payloads “installed” based on the targets provided.
According to a blog post in Intel471, “The accessibility and moderate costs allow malware operators to leverage these services as another weapon for rapid, bulk and geo-targeted malware infections.”
The PrivateLoader program is written in C++ and is designed to retrieve URLs for the malicious payloads to be deployed on the infected host. It mainly relies on a network of bait websites rigged to appear prominently in search results via search engine optimization (SEO) poisoning methods targeting users looking for pirated software.
The PPI uses the administrative panel to offer a ton of functions, which includes adding new users, configuring a link to the payload to be installed, modifying geolocation targeting based on the campaign, and even encrypting the load file.
PrivateLoader also pushes common payload families which includes a mix of remote access trojans, banking malware, and ransomware like DanaBot, Formbook (aka XLoader), CryptBot, Remcos, NanoCore, TrickBot, Kronos, Dridex, NjRAT, BitRAT, Agent Tesla, and LockBit.
The researchers added, “PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them a wide array of options to easily achieve their goals.”