Threat Research

Hunting PrivateLoader: The malware behind InstallsKey PPI service | Bitsight

Securonix

The article analyzes PrivateLoader malware and how researchers uncovered its VMProtect packing, high-entropy sections, and encrypted strings, alongside unpacking methods. It also discusses a shared YARA rule to detect new PrivateLoader variants and the broader implications for defenders. #PrivateLoader #VMProtect #UnpacMe #PXOR #StringDecryption #DetectItEasy

Keypoints

  • PrivateLoader is packed with VMProtect, with most data in the .vmp section and very high entropy.
  • VMProtect uses a virtual machine and anti-analysis features, complicating unpacking and reverse engineering.
  • Unpacking was achieved via the unpac.me public service, revealing encrypted strings and limited plaintext indicators.
  • The unpacked sample often lacks a reconstructed Import Address Table, though Windows API usage is reflected in strings.
  • The code employs a string decryption pattern where characters are XORed with their position plus a key, repeated across blocks.
  • Bitsight shares a YARA rule to detect newer PrivateLoader variants and combines it with an older rule for broader coverage.

MITRE Techniques

  • [T1027] Obfuscated/Compressed Files and Information – VMProtect packing and VM-based execution hinder traditional unpacking; “VMProtect utilizes a virtual machine (VM) to execute code, making it difficult for traditional unpacking methods to decipher the original instructions.”
  • [T1140] Deobfuscate/Decode Files or Information – String decryption is applied across the code using XOR with position-based keys; “For each character in string: character XOR (character position + key)”
  • [T1497] Virtualization/Sandbox Evasion – Anti-debugging and anti-reverse engineering mechanisms are used to detect and thwart analysis at runtime; “anti-debugging and anti-reverse engineering mechanisms, which actively detect and thwart attempts to analyze or manipulate the packed binary during runtime.”

Indicators of Compromise

  • [Domain] Domains referenced in the article – bitsight.com, unpac.me
  • [URL] URLs mentioned in the article – https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service, https://www.bitsight.com/sites/default/files/2024/02/23/Stack%20variable%20built%20at%20runtime.png, https://www.bitsight.com/sites/default/files/2024/02/23/String%20decryption%20function.png

Read more: https://www.bitsight.com/blog/hunting-privateloader-malware-behind-installskey-ppi-service