Researchers Find Connections PrivateLoader and Ruzki Pay-Per-Install Services
Reading Time: 2 minutes

SEKOIA , cybersecurity researchers discovered connections between  a widely used pay-per-install (PPI) malware service known as PrivateLoader and Ruzki Pay-Per-Install Services

The researchers said, “The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021.”

Cybersecurity firm says PPI malware service, which can infect over 3 million devices globally, is powered by a loader called PrivateLoader, it is the proprietary loader of the ruzki PPI malware service.

The PrivateLoader is a C++-based loader that downloads more malware onto Windows machines through SEO-optimized websites that claim to provide cracked software. Enabling it to deploy additional malicious payloads on infected Windows hosts. It is widely distributed with 

It was first used in May 2021on Intel’s website, but has been part of their site since May 2021.Common malware in the private loader category are Redline Stealer, Socelars, Raccoon Stealer, Vidar, Tofsee, Amadey, DanaBot, and STOP.

In May 2022, Trend Micro identified a malware that was distributing a framework called NetDooka. Recently, BitSight found significant infections in India and Brazil as of July 2022.

A shift that SEKOIA has spotted is the use of documents service to host the malicious payloads. This is likely motivated by increased monitoring of the platform’s content delivery network.

PrivateLoader communicates to various C2 servers which allow the download and release of data. PrivateLoader can communicate with four active C2 servers: two in Russia and one each in Czechia and Germany.Researchers Find Connections PrivateLoader and Ruzki Pay-Per-Install Services_1Researchers said that PrivatePicker and PrivateLoader are popular on the black market. SEKOIA found that some private and public entities in the U.S., Europe, and elsewhere have been infiltrated by a threat actor that sells bundles of 1,000 or up to 100,000 infected systems.

Advertising for the PPI service can be found on the Lolz Guru cybercrime forum. The researchers found that the distribution of malware relied on a service that had no payment.

PrivacyLockers are lowering the cost of entry into the cybercriminal market, and it is highly likely to see PrivacyLocker-related activity in the short term.

Related Articles:
Russian Gamaredon Hackers Using Info-Stealing Malware to Target Ukrainian Government
North Korean Hackers Distributing Trojanized Versions of PuTTY Client Application
Apple iOS and macOS Updates to Patch For Actively Exploited Zero-Day Flaw Released