These websites host Smokeloader payloads as part of three categories named “pab1”, “pab2” and “pab3”. These are not necessarily linked to the analogous “pub*” affiliate IDs, since we have seen some “pab2” payloads with the “555” affiliate ID. While tracking PrivateLoader, we only received links to download the “pab2” payloads from these websites. It is likely these operators use other methods or PPI services to distribute the Smokeloader family.
On Oct. 22, 2021, a “pab2” Smokeloader sample downloaded by PrivateLoader from one of these websites delivered the Qbot banking trojan. This is an unusual distribution method for Qbot and revealed the new botnet ID star01.
Banking trojans
There are other actors throughout the underground that leverage PrivateLoader for banking trojan distribution.
On Oct. 31, 2021, PrivateLoader bots connecting from European countries were instructed to download and execute the Kronos banking trojan from the following URL:
| hxxp://2.56.59[.]42/EU/Yandex1500[.]exe |
The downloaded sample also executed the Vidar information stealer. The download and execute commands for this sample stopped the following day.
On Nov. 1, 2021, PrivateLoader bots downloaded Dridex samples tied to the 10444 botnet, and Danabot with the affiliate identifier 40. The same day, bots also downloaded Trickbot samples with the group tags (gtags) lip*, tot* and top*. In all cases, the delivered samples embedded other malware families such as other banking trojans, information stealers or ransomware.
| SAMPLE HASH | MALWARE FAMILIES | FIRST SEEN (UTC) | LAST SEEN (UTC) | OTHER DETECTED FAMILIES |
|---|---|---|---|---|
| 14e7cc2eadc7c9bac1930f37e25303212c8974674b21ed052a483727836a5e43 | Trickbot: top142 | 2021-11-01 17:19:30 |
2021-11-01 18:39:25 |
Nanocore RAT Smokeloader Redline |
| 4554dc95f99d6682595812b677fb131a7e7c51a71daf461a57a57a0d903bb3fa |
Trickbot: tot160 Trickbot: top141 Dridex: 10444 |
2021-11-01 11:20:11 |
2021-11-02 07:17:40 |
Tofsee Redline |
| 4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff |
Trickbot: lip143 Trickbot: top142 |
2021-11-01 17:27:39 |
2021-11-02 07:46:21 |
njRAT STOP Djvu Redline Vidar |
| 5adbe8d0375d6531f1a523085f4df4151ad1bd7ae539692e2caa3d0d73301293 |
Trickbot: lip142 Dridex: 10444 |
2021-11-01 15:56:02 |
2021-11-02 02:03:00 |
Remcos Tofsee |
| 6abbd89e6ab5e1b63c38a8f78271a97d19bafff4959ea9d5bd5da3b185eb61e6 | Trickbot: top141 | 2021-11-01 12:51:32 |
2021-11-02 02:02:59 |
Redline |
| 929a591331bdc1972357059d451a651d575166f676ea51daaeb358aa2a1064b7 | Dridex: 10444 | 2021-11-01 17:29:03 |
2021-11-01 18:41:08 |
Smokeloader Redline |
| aae0553b761e8bb3e58902a46cd98ee68310252734d1f8d9fd3b862aab8ed5c9 | Trickbot: lip142 | 2021-11-01 16:14:42 |
2021-11-02 16:54:50 |
Redline |
| bf7b5f72b2055cfc8da01bb48cf5ae8e45e523860e0b23a65b9f14dbdbb7f4ee |
Trickbot: lip141 Trickbot: top141 Trickbot: top142 Dridex: 10444 Danabot: affid 40 |
2021-11-01 11:14:58 |
2021-11-01 18:41:14 |
Redline QuasarRAT |
| eef15f6416f756693cbfbfd8650ccb665771b54b4cc31cb09aeea0d13ec640cf |
Trickbot: lip141 Trickbot: lip142 Trickbot: lip143 Trickbot: top141 |
2021-11-01 15:01:07 |
2021-11-02 02:03:33 |
Smokeloader Lockbit Redline |
| f9246be51464e71ff6b37975cd44359e8576f2bf03cb4028e536d7cfde3508fc |
Trickbot: lip141 Trickbot: lip142 |
2021-11-01 15:09:14 |
2021-11-02 07:17:30 |
Redline |
| fcc49c9be5591f241ffd98db0752cb9e20a97e881969537fba5c513adbd72814 |
Trickbot: lip142 Dridex: 10444 |
2021-11-01 17:27:43 |
2021-11-01 18:41:04 |
Redline |
The sample with the hash 929a591331bdc1972357059d451a651d575166f676ea51daaeb358aa2a1064b7 that embedded both Dridex and Smokeloader was downloaded from the following URL:
hxxp://privacytoolzfor-you6000[.]top/downloads/toolspab2.exe
In the previous subsection, we linked the “Privacy tools” websites to Smokeloader operators. It is unclear whether the operators behind these websites operated the Dridex 10444 botnet or only acted as a link in the delivery chain. However, we can assume the “Privacy tools” website was used for distribution since the same Dridex botnet identifier and controllers were seen across different hashes and delivery URLs during this period.
Seeing downloads for Danabot, Dridex, Kronos and Trickbot for the first time within the same time frame hardly can be regarded as a coincidence. Moreover, these trojans often were bundled with each other. Therefore, we assess a single entity likely operating these specific botnets was using the PrivateLoader PPI service at the time.
On Nov. 14, 2021, PrivateLoader bots started to download samples of the Danabot banking trojan with the affiliate ID 4 for a single day.
Based on these short outbursts that lasted no more than a day, we suspect the banking trojan operators were experimenting with this PPI service as another delivery mechanism for their malware.
Ransomware
Underground PPI services generally advise against deploying ransomware on target machines since it renders them unusable. However, cybercriminals have a reputation of not adhering to rules and deploy ransomware anyway.
The only time in which we detected ransomware samples downloaded by PrivateLoader was when it dropped banking trojans in early November 2021. The table in the previous subsection showed downloads for the LockBit and STOP Djvu ransomware families.
While analyzing payloads downloaded by PrivateLoader, we identified a new loader we dubbed Discoloader. Discoloader was written using the .NET framework and uses the Discord content delivery network (CDN) to host its payload. Although not directly from PrivateLoader, we observed samples of this family delivering Conti ransomware directly into infected hosts, which is an uncharacteristic delivery mechanism since this family typically only is deployed after total compromise of enterprise networks.
Conclusion
PPI services have been a pillar of cybercrime for decades. Just like the wider population, criminals are going to flock to software that provides them a wide array of options to easily achieve their goals. As we have detailed, criminals have used PrivateLoader to launch all kinds of schemes. By highlighting the versatility of this malware, we hope to give defenders the chance to develop unique strategies in thwarting malware attacks empowered by PrivateLoader.
MITRE ATT&CK techniques
This report uses the MITRE Adversarial Tactics, Techniques and Common Knowledge (ATT&CK) framework.
| TECHNIQUE TITLE | ID | USE |
|---|---|---|
| Resource Development [TA0042] | ||
| Stage Capabilities: Upload Malware | T1608.001 |
PrivateLoader often hosts malicious payloads on the Discord CDN. We observed recent controllers downloading attachments from just the 891006172130345095, 905701898806493199 and 896617596772839426 IDs. |
| Persistence [TA0003] | ||
| Create or Modify System Process: Windows Service | T1543.003 |
PrivateLoader can be persisted as a startup service and is installed with the following attributes:
|
| Scheduled Task/Job: Scheduled Task | T1053.005 | The PrivateLoader service module always persists as a scheduled task that executes every hour. It also can be persisted as a logon scheduled task when a Windows service is not used. |
| Browser Extensions | T1176 | PrivateLoader can download and silently install malicious browser extensions on Google Chrome and Microsoft Edge browsers. |
| Privilege Escalation [TA0004] | ||
| Abuse Elevation Control Mechanism: Bypass User Account Control | T1548.002 | The PrivateLoader core module uses a Windows 10 user account control (UAC) bypass technique to elevate privileges. The bypass uses a widely documented technique involving the ComputerDefaults.exe system executable (.exe) file, which has the auto-elevate option set. |
Source: https://intel471.com/blog/privateloader-malware