Researchers find link b/w PrivateLoader and Ruzki Pay-Per-Install Services

Cybersecurity researchers have revealed new connections between a widely used pay-per-install (PUP) malware service known as PrivateLoader and another PUP service called ruzki.

“The threat actor ruzki (aka les0k, zhigalsz) has been advertising his PPI service on Russian-speaking underground forums and his Telegram channels as ruzki or zhigalsz since at least May 2021”, SEKOIA said.

The cybersecurity firm said its investigations of the twin services led it to conclude that PrivateLoader is the proprietary loader of the ruzki PPI malware service.

PrivateLoader, as its name suggests, functions as a C++-based loader to download and deploy additional malicious payloads to infected Windows hosts. It is mostly distributed through SEO optimized websites that claim to provide pirated software.

Although it was first documented in February by Intel471, it was reportedly in use as early as May 2021.

cyber security

Some of the most common malware families spread via PrivateLoader include Redline Stealer, SocelarsRaccoon thief, Vidar, TofseeAmadey, DanaBot and Djvu and STOP ransomware strains.

A May 2022 analysis by Trend Micro revealed the malware distributing a framework called NetDooka. A follow-up report from BitSight at the end of last month found significant infections in India and Brazil in July 2022.

A new change spotted by SEKOIA is the use of the document service to host the malicious payloads as opposed to Discord, a change likely driven by increased monitoring of the platform’s content delivery network.

PrivateLoader and Ruzki pay-as-you-go services

PrivateLoader is also configured to communicate with command and control (C2) servers to retrieve and exfiltrate data. As of mid-September, there were four active C2 servers, two in Russia and one in Czechia and one in Germany.

“Based on the wide selection of malware families, which implies a wide range of threat actors or sets of intrusions exploiting this malware, the PUP service running PrivateLoader is very attractive and popular for attackers on underground markets,” the researchers said.

SEKOIA further stated that they discovered links between PrivateLoader and ruzki, a threat actor that sells bundles of 1,000 installs on infected systems located across the world ($70), or more specifically in Europe ($300) or the United States ($1,000).

These advertisements, which were placed on the Lolz Guru cybercrime forum, target threat actors (i.e., potential customers) who wish to distribute their payloads through the PUP service.

cyber security

The association stems mainly from the observations below –

  • An overlap between the PrivateLoader C2 servers and that of the URLs provided by ruzki to subscribers to track install statistics related to their campaigns
  • References to ruzki in the example PrivateLoader botnet names that were used to provide the Redline Stealer, such as ruzki9 and 3108_RUZKI, and
  • The fact that PrivateLoader and ruzki started operations in May 2021, with the operator ruzki using the term “our loader” in Russian on its Telegram channel

“Pay-per-install services have always played a key role in the distribution of grassroots malware,” the researchers said.

“As an additional turnkey solution reducing the cost of entry into the cybercriminal market and a service contributing to a continued professionalization of the cybercriminal ecosystem, it is highly likely that more PrivacyLoader-related activities will be observed in the near term. “

Margie D. Carlisle