Pay-per-install services provide access to thousands of compromised computers

The PrivateLoader malware, which allows cyber criminals to purchase thousands of infected computers in the US and other regions, is one of the most widespread security threats.

Denial of service attack on a central server
Image: beebright/Adobe Stock

Pay-per-install services are used in the cybercrime underground to monetize the installation of malware on computers. Cyber ​​criminals who are able to build a network of infected computers then sell access to those computers. This cyber criminal can do everything himself or join a criminal PPI organization as an affiliate.

SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)

People who buy access to infected computer networks do so for various purposes such as: B. to perform DDoS operations, mine cryptocurrencies or get useful information for financial fraud.

How does PrivateLoader work?

PPI operators monitor the number of installations, locations of infected computers, and information about computer software specifications. To achieve this, they generally use loaders during infection, which allow tracking but also allow management of additional payloads that can be pushed to the infected devices. This is where PrivateLoader comes in, as Sekoia reports.

PrivateLoader is one of the most widespread loaders used by cyber criminals in 2022. It is commonly used as part of PPI service and allows delivery of several different malware families operated by several cyber criminals.

The malware is a modular loader written in the C++ programming language. It has three different modules: The core module is responsible for obfuscation, fingerprinting infected hosts and anti-analysis techniques; a second module is responsible for contacting the command and control server to download and run additional payloads; and a third module is responsible for ensuring persistence.

Also Read :  Internet Of Things (IoT) In Healthcare Global Market Report 2022

Communication between the infected computer and the C2 is obfuscated using simple algorithms such as byte substitution and single-byte XOR operation. The loader first reaches obfuscated hard-coded URLs in its code and then requests the obtained URLs to reach the C2 server. This server in turn provides a URL for the final payload. The final location of payloads has changed over the year, according to Sekoia researchers, moving from Discord to or custom URLs (FigureA).

Figure A

Image: PrivateLoader network communication

Sekoia researchers discovered four different active C2 servers operated by the PPI service, two of them in Russia and the other two in the Czech Republic and Germany. Researchers found over 30 unique C2 servers that were likely shut down once discovered by security vendors.

What payloads are distributed?

Last week’s PrivateLoader campaigns distributed these types of malware:

  • information thieves: Redline, Vidar, Racoon, Eternity, Socelars, FAbookie, YTStealer, AgentTesla, Phoenix and more
  • ransomware: Dju
  • botnets: Danabot and SmokeLoader
  • Cryptocurrency miners: XMRig and more
  • commodity malware: DcRAT, Glupteba, Netsupport and Nymaim

It is interesting to note that, as previously reported, some of these information thieves are among the most commonly used by traffickers. The researchers suggest that while most PPI services use their own traffic distribution network, some are likely to purchase traffic generation services such as those offered by trafficking teams.

Also Read :  Elon Musk Defies Management Mantras With His Rapid Overhaul at Twitter

Who is Ruzki PPI?

Sekoia’s investigations led to the use of PrivateLoader being linked to a specific group of Russian-speaking cybercriminals PPI called “ruzki”, also known as “lesOk” or “zhigalsz”. (Figure B).

Figure B

Image: Lolz Guru Forum. Ruski PPI service indicator.

Ruzki’s PPI service sells bundles of thousands of installations located on compromised systems around the world.

Prices listed as of September 2022 ranged from US$70 for a mix of installations around the world to US$1,000 for installations in the US.

The threat actor can also sell these installs to multiple customers at once or sell exclusive access at a higher price.

The service offered up to 20,000 installations per day when it was launched, but no recent data on its performance could be found. May 2021 revealed the impact of 800 webmasters using multiple infection chains, according to Sekoia, who also suspects one or more trafficker teams behind those webmasters.

Ruzki owns PrivateLoader

Conversations observed by subscribers to the Ruzki services on social networks revealed a URL provided by the PPI service that perfectly matched that of the PrivateLoader C2 server. Additionally, IP addresses mentioned by Ruzki customers were categorized by the researchers as PrivateLoader C2.

Also Read :  🏫 Shuffling teachers | Morning Newsletter

Additionally, several PrivateLoader instances downloaded the RedLine malware as their latest payload. Most of these RedLine examples contained direct references to ruzki such as “ruzki”, “ruzki9” or “3108_RUZKI”. Eventually, Sekoia identified a single botnet connected to all PrivateLoader C2 servers.

Given all of these links between Ruzki usage and PrivateLoader, the researchers determined that “PrivateLoader is the proprietary loader of the ruzki PPI malware service”.

How can organizations protect themselves from this threat?

PPI services rely on infecting computers with malware. Different operators running these services have different ways of infecting computers, but one of the most common techniques is via networks of websites claiming to offer ‘cracks’ for various attractive software. It could also be distributed via direct downloads of attractive software on peer-to-peer networks. Thus, users should be strongly encouraged never to download illegal software and especially not to run executable files related to cracking activities.

It is also highly recommended to always have operating systems and all software up to date and patched to avoid being compromised by common vulnerabilities. Multi-factor authentication must be enforced for all Internet-facing services to prevent an attacker with valid credentials from simply logging in and impersonating a user.

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Source link