[MART] - Daily Diary #504 - The Pay-Per-Install Malware Business

CTAS-MAT ctas-mat at appgate.com
Thu May 5 21:21:53 UTC 2022 

Hello,
I hope everyone is doing well!

Below is the entry for today.

05/05/2022 - Diary entry #504

In our recent Daily Diaries, we covered lots of cybercrime gangs operating in the malware-as-a-service business model. Today we are going to cover PrivateLoader, a malware service that charges based on PPI (Pay-Per-Install) model, that is gaining popularity delivering lots of other malware. PrivateLoader was first disclosed in 2021. Written in C++, it provides an administrative panel for cybercriminals to handle their campaigns. The platform allows attackers to configure the payload links, add geolocation locks for the campaigns and encrypting the payloads.

The PrivateLoader malware is a Downloader that can be spread through social engineer campaigns, like spammed in phishing e-mails. When executed, it downloads the configured payload in the machine, decrypts it, and starts the next step in the attack chain. Besides encrypting the payload, PrivateLoader contains other anti-analysis techniques, encrypting strings and obfuscating integer constants in the code.

PrivateLoader samples have been found delivering a variety of malware, such as Vidar (covered in our Daily Diary #478), RedLine Stealer (mentioned in our Daily Diary #455), SmokeLoader (also mentioned in our Daily Diary #455), LockBit (covered in our Daily Diary #325, #339, and #440), TrickBot (covered in our Daily Diary #472), and Agent Tesla (covered in our Daily Diary #288).

This malware is yet another example of the expansion of cybercrime malware-as-a-service business. With the evolution of those techniques, more gangs will begin to develop their own malware as a service, specializing in a single piece of the attack.

Kind Regards,


[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Duarte Domingues
Manager - MART
Appgate

E: felipe.duarte at appgate.com<mailto:felipe.duarte at appgate.com>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/mart/attachments/20220505/abe22e39/attachment.htm>

More information about the MART mailing list