Researchers Find Link b/w PrivateLoader and Ruzki Pay-Per-Install Services
Cybersecurity researchers have exposed new connections between a widely used pay-per-install (PPI) malware service known as PrivateLoader and another PPI platform offered by a cybercriminal actor dubbed ruzki.
“The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021,” SEKOIA said.
The cybersecurity firm said its investigations into the twin services led it to conclude that PrivateLoader is the proprietary loader of the ruzki PPI malware service.
PrivateLoader, as the name implies, functions as a C++-based loader to download and deploy additional malicious payloads on infected Windows hosts. It’s primarily distributed through SEO-optimized websites that claim to provide cracked software.
Although it was first documented earlier this February by Intel471, it’s said to have been put to use starting as early as May 2021.
Some of the most common commodity malware families propagated through PrivateLoader include Redline Stealer, Socelars, Raccoon Stealer, Vidar, Tofsee, Amadey, DanaBot, and ransomware strains Djvu and STOP.
A May 2022 analysis from Trend Micro uncovered the malware distributing a framework called NetDooka. A follow-up report from BitSight late last month found significant infections in India and Brazil as of July 2022.
A new change spotted by SEKOIA is the use of VK.com documents service to host the malicious payloads as opposed to Discord, a shift likely motivated by increased monitoring of the platform’s content delivery network.
PrivateLoader is also configured to communicate with command-and-control (C2) servers to fetch and exfiltrate data. As of mid-September, there are four active C2 servers, two in Russia and one each in Czechia and Germany.
“Based on the wide selection of malware families, which implies a wide range of threat actors or intrusion sets operating this malware, the PPI service running PrivateLoader is very attractive and popular to attackers on underground markets,” the researchers said.
SEKOIA further said it unearthed ties between PrivateLoader and ruzki, a threat actor that sells bundles of 1,000…
