Threat Research

PrivateLoader: the loader of the prevalent ruzki PPI service

Securonix

SEKOIA analysts document PrivateLoader as a modular downloader that operatess within the ruzki Pay-Per-Install (PPI) service to download and execute multiple payloads, enabling broad distribution of malware. The report links PrivateLoader to ruzki’s PPI ecosystem, describing its infrastructure, workflow, and the range of malware it delivers across global targets.
#PrivateLoader #ruzki #PPI #DeadDropResolver

Keypoints

  • PrivateLoader is a modular C++ loader with a loader, core, and service module, designed to download and execute next-stage payloads and to perform anti-analysis techniques.
  • The ruzki PPI service sells bundles of thousands of installations worldwide (and in Europe/US), using a network of webmasters and Telegram channels to distribute payloads.
  • SEKOIA identifies multiple active PrivateLoader C2 servers across Russia, Czechia, and Germany, with activity dating back to 2021–2022 and ongoing in campaigns monitored in 2022.
  • PrivateLoader uses dead drop resolvers (embedded URLs) to obtain the next payload, including publicly accessible sites (e.g., Pastebin) and proprietary servers, with C2 communications obfuscated by XOR and other encoding methods.
  • The loader’s communications are split into stages: deobfuscation of embedded URLs, HTTP requests to obtain final payload URLs, and subsequent payload downloads, all using obfuscation techniques.
  • Malware distributed by PrivateLoader includes information stealers (Redline, Vidar, etc.), ransomware (Djvu), botnets (Danabot, SmokeLoader), miners (XMRig), and other commodity malware (DcRAT, Glupteba, Netsupport, Nymaim variants).
  • The PrivateLoader/Ruzki relationship is supported by shared C2 endpoints, “statistics” links, and observed references in customer conversations and public disclosures, indicating PrivateLoader as the loader used by the ruzki PPI service.

MITRE Techniques

  • [T1102.001] Web Service: Dead Drop Resolver – The loader deobfuscates embedded URL(s) not controlled by the attacker to obtain dead drop resolvers (‘The malware deobfuscates one or several embedded URL(s) not controlled by the attacker (tactic of dead drop resolver).’)
  • [T1001] Data Obfuscation – The loader uses stack string obfuscation and methods to conceal its operations (‘Stack string obfuscation; … Anti-analysis techniques.’)
  • [T1105] Ingress Tool Transfer – The loader downloads the next payload over HTTPS and executes it (‘Next stage payload download over HTTPS and execution.’)
  • [T1132] Data Encoding – C2 communications are encoded/obfuscated (e.g., XOR with a key) (‘The communication with PrivateLoader C2 is obfuscated xor the HTTP body with the key 0x6d.’)
  • [T1568] Dynamic Resolution – The core module dynamically retrieves the next URL to load the subsequent stage payload (‘The Core module contacting the Command and Control (C2) to get the URL to download the next payload … subsequently used to get another URL hosting the next stage payload.’)
  • [T1573.001] Encrypted Channel: Symmetric Cryptography – The C2 channel uses symmetric-like encryption (XOR) to conceal payload data (‘communication… obfuscated by XORing the HTTP body with the key 0x6d’).
  • [T1027] Obfuscated Files or Information – The loader employs obfuscation (byte replacement table and deobfuscation process) to conceal payloads (‘Table 1 : Byte replacement table’ … deobfuscated payloads).
  • [T1608.001] Stage Capabilities: Upload Malware – The core module can trigger loading of additional malware or end its activity depending on configuration (‘Core module allows two configurations, … the second configuration downloads other malwares and ends its activity’).

Indicators of Compromise

  • [IP Address] PrivateLoader C2 – 79.174.12.174, 212.193.30.115 (Active C2 servers; Russia/Czechia/Germany).
  • [URL] PrivateLoader Dead Drop Resolver – hxxp://212.193.30[.]115/base/api/getData.php, hxxp://212.193.30[.]115/base/api/statistics[.]php
  • [URL] PrivateLoader Dead Drop Resolver – hxxp://163.123.143[.]4/proxies.txt, hxxp://107.182.129[.]251/server.txt
  • [URL] Dead Drop Resolver host – hxxp://wfsdragon[.]ru/api/setStats.php
  • [URL] Dead Drop Resolver/public paste URL – hxxps://pastebin[.]com/raw/A7dSG1te
  • [Hash] PrivateLoader-related hashes – 6c9223f75d2cca77fc09fbce2e76034326718c4daab02abc1e4f7caefefbcbc5, 2048e7a38a3f8b52bb3e47435ec8ed42dc531446af7a02f76a7f8f79665610de
  • [Hash] RedLine variants associated with PrivateLoader – 27d2943e3dc87f5bfaf314dbf2b50dad4563b53515d471f398b81d5fe8b7a8fe, 88c7dbb90db43f552465fb2b3a2c036f5c906cf2c8f14b80ee3cab8eee52d31d
  • [Hash] DcRAT – 392049ce2edacaef91a29eb0ef2b7b9927a82550b592dedf725a33b6cfdd2381

Read more: https://blog.sekoia.io/privateloader-the-loader-of-the-prevalent-ruzki-ppi-service/