PrivateLoader is used as a delivery framework to host Smokeloader payloads and other malware via PPI services, spanning multiple campaigns and payload families. It has facilitated deliveries of Qbot, Kronos, Trickbot, Dridex, Danabot, Vidar, and even Conti ransomware through evolving loader capabilities and affiliated distribution networks. #PrivateLoader #Smokeloader #Qbot #Kronos #Trickbot #Dridex #Danabot #Vidar #Conti
Keypoints
- PrivateLoader hosts malicious payloads on sites categorized as pab1, pab2, and pab3, often via Private Internet or third-party services (PPI) and not always tied to the βpub*β affiliate IDs.
- On 2021-10-22 a pab2 Smokeloader sample delivered Qbot, revealing a new botnet ID (star01).
- On 2021-10-31 European PrivateLoader bots downloaded Kronos and Vidar from a direct URL, demonstrating cross-family deployment and multi-stage payloads.
- In early November 2021, PrivateLoader bots downloaded Dridex (10444) and Danabot (affiliates 40 and later 4), and Trickbot variants, often bundled with other malware families.
- A single URL hxxp://privacytoolzfor-you6000[.]top/downloads/toolspab2.exe was used to deliver a sample embedding Dridex and Smokeloader, suggesting shared delivery infrastructure.
- Ransomware activity occurred only alongside banking trojan campaigns (LockBit, STOP Djvu), with a notable new loader, Discoloader, using Discord CDN to host Conti payloads.
MITRE Techniques
- [T1608.001] Stage Capabilities: Upload Malware β PrivateLoader often hosts malicious payloads on the Discord CDN. βPrivateLoader often hosts malicious payloads on the Discord CDN.β
- [T1543.003] Create or Modify System Process: Windows Service β PrivateLoader can be persisted as a startup service and is installed with attributes like Service name PowerControl and startup type at system boot. βService name: PowerControl.β
- [T1053.005] Scheduled Task/Job: Scheduled Task β The PrivateLoader service module always persists as a scheduled task that executes every hour, and can also be a logon scheduled task.
- [T1176] Browser Extensions β PrivateLoader can download and silently install malicious browser extensions on Google Chrome and Microsoft Edge.
- [T1548.002] Abuse Elevation Control Mechanism: Bypass User Account Control β The core module uses a UAC bypass via ComputerDefaults.exe with auto-elevate semantics.
Indicators of Compromise
- [Hash] 14e7cc2eadc7c9bac1930f37e25303212c8974674b21ed052a483727836a5e43 β context: Trickbot: top142; Nanocore RAT; Smokeloader observed in related campaigns.
- [Hash] 4554dc95f99d6682595812b677fb131a7e7c51a71daf461a57a57a0d903bb3fa β context: Trickbot: tot160; Trickbot: top141; Dridex: 10444; related families observed (Tofsee, Redline).
- [URL] hxxp://privacytoolzfor-you6000[.]top/downloads/toolspab2.exe β context: Sample 929a591331bdc1972357059d451a651d575166f676ea51daaeb358aa2a1064b7 embedded Dridex and Smokeloader.
- [URL] hxxp://2.56.59[.]42/EU/Yandex1500[.]exe β context: Kronos download; Vidar information stealer observed on the same sample.
- [File Name] toolspab2.exe β context: Used as the file downloaded from the privacy tool URL above.
- [Domain] privacytoolzfor-you6000.top β context: One of the domains hosting delivery URLs for Dridex/Trickbot/Smokeloader payloads.