Cyber threat actors are introducing new services to expand their “Client” base. The Pay-per-Install (PPI) distribution model is based on revenue sharing and commissions. The PPI model was initially used to distribute advertisements but is has transitioned to install malware. Malware authors do not have the resources or bandwidth to spread their malware on a large scale. Instead they can rely on a network of affiliates, who distribute the malware, and in return get paid a commission for every installation or infection. A recent investigation of a Pay-per-Install malware service called PrivateLoader has revealed its crucial role in the delivery of a variety of malware such as SmokeLoader, RedLine Stealer, Vidar, Raccoon, and GCleaner since May 2021.
Loaders are malicious programs used for loading additional executables onto the infected machine. With PPI malware services such as PrivateLoader, malware operators pay the service owners to get their payloads "installed" based on the targets provided. "The accessibility and moderate costs allow malware operators to leverage these services as another weapon for rapid, bulk and geo-targeted malware infections," cybersecurity firm Intel 471 said in a new report.[1]
PrivateLoader, written in the C++ programming language, is designed to retrieve URLs for the malicious payloads to be deployed on the infected host. The distribution primarily relies on a network of bait websites that have been rigged to appear prominently in search results via search engine optimization (SEO) poisoning methods targeting users looking for pirated software. The targets are looking to avoid paying for licensed products and in turn become infected with malware. When a victim tries to click on the download button on one of these bait sites, the button is embedded with JavaScript and deploys the payload in a .ZIP archive.
The business is initiated by an affiliate interested in creating a network of infected computers. The said affiliate then signs up to a PPI site and receives a file from the PPI provider, which originally used to be a variant of an adware program. Then, the affiliate bundles the PPI-provided file with another program that could be hosted on their site. This is also known as a binder program that can combine the adware provided by the PPI site with a known program. The end goal is a victim downloading the program and getting the adware installed on their computer. Each of the PrivateLoader samples plants a region code that is transferred to the C2 server and country of the bot. When this happens, the said affiliate is paid per install.
The administrative panel used by the PPI service offers a wealth of functions, including adding new users, configuring a link to the payload to be installed, modifying geolocation targeting based on the campaign, and even encrypting the load file. Other common payload families pushed by PrivateLoader include a mix of remote access trojans, banking malware, and ransomware like DanaBot, Formbook (XLoader), CryptBot, Remcos, NanoCore, TrickBot, Kronos,Dridex, NjRAT, BitRAT, Agent Tesla, Qbot, and LockBit. Likewise another malware loader called Discoloader has been affiliated with the Conti ransomware family.
"PPI services have been a pillar of cybercrime for decades," the researchers said. "Just like the wider population, criminals are going to flock to software that provides them a wide array of options to easily achieve their goals."
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@wapacklabs.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/5504229295967742989
[1] https://thehackernews.com/2022/02/several-malware-families-using-pay-per.html
Comments