Researchers Find Link b/w PrivateLoader and Ruzki Pay-Per-Install Services

Cyber Security

Cybersecurity researchers have exposed new connections between a widely used pay-per-install (PPI) malware service known as PrivateLoader and another PPI service dubbed ruzki.

“The threat actor ruzki (aka les0k, zhigalsz) advertises their PPI service on underground Russian-speaking forums and their Telegram channels under the name ruzki or zhigalsz since at least May 2021,” SEKOIA said.

The cybersecurity firm said its investigations into the twin services led it to conclude that PrivateLoader is the proprietary loader of the ruzki PPI malware service.

PrivateLoader, as the name implies, functions as a C++-based loader to download and deploy additional malicious payloads on infected Windows hosts. It’s primarily distributed through SEO-optimized websites that claim to provide cracked software.

Although it was first documented earlier this February by Intel471, it’s said to have been put to use starting as early as May 2021.

Some of the most common commodity malware families propagated through PrivateLoader include Redline Stealer, Socelars, Raccoon Stealer, Vidar, Tofsee, Amadey, DanaBot, and ransomware strains Djvu and STOP.

A May 2022 analysis from Trend Micro uncovered the malware distributing a framework called NetDooka. A follow-up report from BitSight late last month found significant infections in India and Brazil as of July 2022.

A new change spotted by SEKOIA is the use of VK.com documents service to host the malicious payloads as opposed to Discord, a shift likely motivated by increased monitoring of the platform’s content delivery network.

PrivateLoader is also configured to communicate with command-and-control (C2) servers to fetch and exfiltrate data. As of mid-September, there are four active C2 servers, two in Russia and one each in Czechia and Germany.

“Based on the wide selection of malware families, which implies a wide range of threat actors or intrusion sets operating this malware, the PPI service running PrivateLoader is very attractive and popular to attackers on underground markets,” the researchers said.

SEKOIA further said it unearthed ties between PrivateLoader and ruzki, a threat actor that sells bundles of 1,000 installations on infected systems located across the world ($70), or specifically Europe ($300) or the U.S. ($1,000).

These advertisements, which have been placed in the Lolz Guru cybercrime forum, target threat actors (aka prospective customers) who wish to distribute their payloads through the PPI service.

The association stems mainly from the below observations –

  • An overlap between the PrivateLoader C2 servers and that of URLs provided by ruzki to the subscribers so as to monitor installation statistics related to their campaigns
  • References to ruzki in PrivateLoader botnet sample names that were used to deliver the Redline Stealer, such as ruzki9 and 3108_RUZKI, and
  • The fact that both PrivateLoader and ruzki commenced operations in May 2021, with the ruzki operator using the term “our loader” in Russian on its Telegram channel

“Pay-per-Install services always played a key role in the distribution of commodity malware,” the researchers said.

“As yet another turnkey solution lowering the cost of entry into the cybercriminal market and a service contributing to a continuous professionalization of the cybercriminal ecosystem, it is highly likely more PrivacyLoader-related activity will be observed in the short term.”