Pay-Per-Install (PPI) is a malware service widely used in the cybercrime ecosystem that monetizes the installation of malicious software. SEKOIA observed that PrivateLoader is one of the most widely used loaders in 2022. It is used by a PPI service to deploy multiple malicious payloads on the infected hosts.
The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021. Their business model consists in selling bundles of thousand installations, located on systems all over the world, or specifically in Europe or in the United States.
First observed in May 2021, PrivateLoader is a modular malware whose main capability is to download and execute one or several payloads. The loader implements anti-analysis techniques, fingerprints the compromised host and reports statistics to its C2 server. PrivateLoader is a modular C++ loader composed of three modules, including the loader to load the Core module, the Core module contacting the Command and Control (C2) to get the URL to download the next payload, and the Service module ensuring persistence. Its main use consists in loading one or more third party malware.
SEKOIA observed, the following malware families were actively distributed by PrivateLoader payloads:
- Information stealers: Redline, Vidar, Raccoon, Eternity, Socelars, Fabookie, YTStealer, AgentTesla, Phoenix and other uncategorized stealers.
- Ransomware: Djvu.
- Botnet: Danabot, SmokeLoader.
- Miners: XMrig and other uncategorized stealers.
- Other commodity malware: DcRAT, Glupteba, Netsupport, and Nymaim variant.