Dropper Malware believed to be created by Russian actor.
Abstract
PrivateLoader is a malware dropper believed to have been created by Russian actors. It is said to be a Pay-per-install (PPI) service malware. This malware is not particularly new, and many analysis results have already been reported. In this article, I aim to supplement existing reports by introducing some distinctive information and technical tips regarding the analysis results of PrivateLoader discovered in the summer of 2023. I hope to provide insights useful for malware detection and analysis. For an explanation of the packer used in this specimen, which appears to be VMProtect, please refer to my other blog posts.
Reference:
“PrivateLoader: The first step in many malware schemes”, Intel471
https://intel471.com/blog/privateloader-malware
“NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service”, Trend Micro
https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html
“Tracking down the cybercriminal infrastructure of infostealer RisePro”, Projet FOX
https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/
Restrictions:
- This malware may have only worked in part of several functions. For this reason, the behavior may differ between the specimens I analyzed and other specimens.
- There may be mistakes in my analysis.
Malware hash:
MD5: F6570495946923AA4D1467FDBAFBC2F6
SHA1: A0390712FE78C98DB97DC7CCAEA6E0929F548C95
Overview of analyzed features
What purpose?
I will explain the purpose of the malware as inferred from its functional overview.
C2 and other communications
I will explain the malware communications discovered through my analysis. The malware not only used C2 but also official websites.
Downloading and executing file
I discovered behavior that attempts to download and execute additional malware. This malware attempted to download additional malware from a social networking service site.
Encryption/Decryption using “CryptPP”
The malware used the CryptPP library for data encryption and key exchange.
Searching for data in browser files
The malware probed for file content strings in several popular browsers. It targeted specific domain names.
Defense evasion : Killing Windows Defender technique
This malware makes configurations to disable Windows Defender. It appears to involve registry manipulation, but in my analysis environment, a new configuration file was generated.
Developer Information
Thanks to other useful research, we know that the username of this actor is “KING420”. I present one piece of evidence.
What purpose?
“PrivateLoader” does not seem to be a dropper limited to specific actors; rather, it appears to be a tool intended for use by many cyber attackers. It is likely that the service offers specific functions selected by the user from among multiple features. The malware checks strings such as “WW_(number)” or “USA_1,” which are presumed to be functional parameters. Additionally, the “WW_(number)” parameter is also included in the data sent to the C2 server. “PrivateLoader” attempts to drop and execute malware, which is likely to be an information stealer as its main payload. While this malware itself does not steal information, it checks the domain names included in the browser’s “Login Data” file.
The sectors targeted by the domains checked are as follows:
- Cryptocurrency exchanges
- NFT services
- Financial institutions (Global)
- United States financial institutions
- Australian financial institutions
- Canadian financial institutions
- Pakistan bank
- Online shopping
- Cloud services
- Hotel reservation
- Mexican postal and banking
- Spanish postal and banking
C2 and other communications
The malware communicates using HTTP, utilizing the WinHttp API of Windows. Instead of using a domain name, it decrypts and uses an IP address for the C2 server. In the specimen analyzed, port 80 was used for communication with the C2 server. Additionally, the malware uses legitimate websites to obtain the victim’s WAN IP information. One notable characteristic is its use of social media platforms to download additional malware payloads.
Used Windows APIs
The names of the APIs used are obfuscated and decoded before use. The API addresses are obtained without using GetProcAddress API, utilizing the handle of the loaded DLL and the API’s text. The APIs used may differ depending on the communication process. The WinHttp APIs used are as follows:
- WinHttpOpen
- WinHttpConnect
- WinHttpOpenRequest
- WinHttpSetTimeouts
- WinHttpSendRequest
- WinHttpReceiveResponse
- WinHttpQueryHeaders
- WinHttpQueryDataAvailable
- WinHttpReadData
- WinHttpCloseHandle
- InternetOpenA
- InternetSetOptionA
- InternetConnectA
- InternetOpenUrlA
- InternetReadFile
- InternetCloseHandle
Communicate to C2 Server
When I investigated, the host parameter of the C2 server’s URL was directly set to an IP address. I observed the path names as “api/tracemap.php” and “api/firegate.php”. It is expected that these path names are used differently depending on the purpose of the communication. Unfortunately, like the IP addresses, these path names are also likely to change frequently. The protocol used is HTTP, not HTTPS, and the communication port was 80.
Communicate to Legitimate websites
The malware accessed the following legitimate sites to obtain the victim’s WAN parameters:
api.myip.com
ipinfo.io/widget/demo/(Victim’s IP address)
“api.myip.com” is accessed to obtain the IP address of the victim’s WAN. The incoming data is simple.
ex) {“ip”:”114.1xx.***.***”,”country”:”Japan”,”cc”:”JP”}
(some parameters are masked.)
“ipinfo.io/widget/demo/” is used to retrieve various information, including the hostname, from an IP address in the form of a JSON text file. The data obtained is similar to that of a WhoIs query. The IP address required for the query is obtained from the return parameter of “api.myip.com”. The malware extracts the parameters of interest from the retrieved JSON data and includes them in the data sent to the C2 server.
Communicate to SNS
This malware accessed the social network “vk.com.” Analysis revealed that the purpose of this access was to download additional malware. Although I am not very familiar with it, “vk.com” appears to offer file upload and download services. A more detailed explanation will be provided in a later section.
Downloading and executing file
This malware accesses the social network “vk.com” and writes the received data to a file. During my investigation, the file was written to “C:\Users(user name)\Pictures//Minor Policy”. The file name is “(random string).exe”. The file is executed using ShellExecuteA API. I believe this is the mechanism for dropping and executing additional malware.
The malware accessed vk.com using the InternetOpenA API, as shown in the figure below:
The string stored at address “0x000002791E7DB660” is the URL to the malware file. I am not familiar with this social network, but I assume it likely includes a feature for downloading files.
I searched the web using this URL parameter, but no identical parameters were found. However, an article on the MALWARE Bazaar website matched part of the parameters. While the reason for this match is unclear, I suspect it may be related to the use of the same account. According to the article, the dropped malware appeared to be an infostealer called LedLineStealer. Based on this, I assume that this malware was using “vk.com” as a dropper site. I also expect that the purpose in this case was to download similar malware.
https://bazaar.abuse.ch/sample/0c3e2f384b19e296f638c91f22b05f663ec9b0519c0a66efedf4690f0e22ef97/
Encryption/Decryption using “CryptPP”
This malware encrypts communication parameters using AES-256 in CBC mode. It appears that an all-zero initialization vector is used. Based on analysis in IDA, open-source “CryptPP” library were found to be used. The encrypted data is encoded in BASE64. Additionally, in the encoded string, the “+” is replaced with “-” and “/” is replaced with “_”. This seems to be a technique to make it more difficult to decode the BASE64 data.
“CryptPP” seems to prioritize using the CPU’s AES instructions when they are available. I will omit the details related to the analysis of “CryptPP”.
When using symmetric key encryption, key exchange is one of the challenges. This malware appears to use a password-based key exchange function. The function name seems to be “AUPasswordBasedKeyDerivationFunction@CryptoPP@@”. The string that seems to be the password was embedded within the malware. The string is “Snowman+under_a_sn0wdrift_forget_the_Snow_Maiden”.
Searching for data in browser files
This malware references information from the “Login Data” file created by browsers. The targeted browsers include Google Chrome, Microsoft Edge, Brave Browser, CryptoTab Browser, and Opera Browser. This malware searches for specific domain names in the “Login Data” files of these browsers. If a match is found, the domain name is included in the transmission data. However, in my investigation, it did not lead to password theft. This may either be controlled by a functional parameter or the malware might not have a password extraction capability. It is possible that the malware is simply checking if there is any data of interest on the victim’s device. (See : Appendix)
What happens if the domain name searched for is found in the browser’s “Login Data” file? The data is edited into JSON format. Figure 9 shows an example of a hit for the “binance.com” domain. This information does not include authentication credentials. However, the criminals who receive this data might expect that the victim’s device contains authentication information for “binance.com” and attempt to steal it. This data is encrypted using the method described in the “Encryption/Decryption using CryptPP”encoded in a modified BASE64 format, and then transmitted to the C2 server.
Defense evasion : Killing Windows Defender technique
This malware disables Windows Defender by modifying its policy using registry APIs. It leverages a handle obtained through gpedit.dll APIs and uses APIs such as RegCreateKeyExA, RegOpenKeyExA, and RegSetValueExA to edit the parameters. In the environment I analyzed, this setting was output to a file named “C:\Windows\System32\GroupPolicy\Machine\Registry.pol”. As a result, detection by Windows Defender in my analysis environment appeared to be disabled. Therefore, the existence of this file and its internal parameters are crucial forensic artifacts for identifying or detecting attacks that attempt to disable Windows Defender.
The data output to the ‘Registry.pol’ file to disable Windows Defender is as follows:
Path: SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions (Create)
Key: Exclusions_Extensions
Value: (DWORD) 0x00000001
Path: SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions (Create)
Key: exe
Value: (REG_SZ) [00 00]
Path: SOFTWARE\Policies\Microsoft\Windows Defender (Open)
Key: DisableAntiSpyware
Value: (DWORD) 0x00000001
Path: SOFTWARE\Policies\Microsoft\Windows Defender (Open)
Key: DisableRoutinelyTakingAction
Value: (DWORD) 0x00000001
Path: SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection (Create)
Key: DisableBehaviorMonitoring
Value: (DWORD) 0x00000001
Path: SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection (Create)
Key: DisableOnAccessProtection
Value: (DWORD) 0x00000001
Path: SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection (Create)
Key: DisableScanOnRealtimeEnable
Value: (DWORD) 0x00000001
Path: SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection (Create)
Key: DisableRealtimeMonitoring
Value: (DWORD) 0x00000001
Path: SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection (Create)
Key: DisableIOAVProtection
Value: (DWORD) 0x00000001
Path: SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection (Create)
Key: DisableRawWriteNotification
Value: (DWORD) 0x00000001Developer Information
The developer of the malware is believed to be of Russian origin and Malware developer username is “KING420”. This has been very well researched by ‘Project Fox’.
https://projetfox.com/en/2023/11/tracking-down-the-cybercriminal-infrastructure-of-infostealer-risepro/
While analyzing this malware, I discovered a parameter that support this information, which I would like to introduce.
His name is “King420”. He prefers developing in the Windows desktop folder. The project name is “PrivateLoader”. While this malware is for the client, there is likely a “PL_Server” folder that contains the server code. He’s quite kind, leaving fingerprints that can be used for research like this. Thanks to these keywords, I was able to discover the “Project Fox” article! Also, while developer of VMProtect claims to hide parameters, this tool might not be very reliable. As I mentioned in my previous article, there are several cheap aspects to this tool.
In malware analysis, interesting parameters like these can sometimes emerge after deobfuscating or decrypting the code. Malware analysts might want to look for such parameters during their analysis, just to have something to mock malware actors for during social gatherings over drinks (lol). However, I believe that truly skilled hackers wouldn’t make such cheap mistakes.
Reflections
This article introduces some of the techniques of Private Loader that were discovered last year. I applied to present this content at a conference, but I was not selected. Since the content is not particularly advanced and there have already been several reports about Private Loader, I thought there would be no opportunities to present at future conferences. Therefore, I decided to leave this article as a record for knowledge.
I hope this article will help in the detection and investigation of cyber attacks. Victory to the cyber defenders!
Appendix : List of URLs checked in browser files
I will enumerate the domain names that Private Loader searched from the browser’s “Login Data” file.
Note: This does not imply that these websites are vulnerable. It suggests that the malware is likely interested in stealing authentication information from victims’ devices related to these websites.
- Domain names list of cryptocurrency exchanges:
sorare.com, yobit.net, zb.com, binance.com, huobi.com, okex.com,
hitbtc.com, bitfinex.com, kraken.com, bitstamp.net, payoneer.com,
bittrex.com, bittrex.zendesk.com, gate.io, exmo.com, yobit.io,
bitflyer.com, poloniex.com, kucoin.com, coinone.co.kr, localbitcoins.com,
korbit.co.kr, cex.io, luno.com, bitkonan.com, jubi.com, koinex.in,
koineks.com, kuna.io, koinim.com, kiwi-coin.com, leoxchange.com,
lykke.com, localtrade.cc, magnr.com, lbank.info, itbit.com, gemini.com,
gdax.com./widget, gatehub.net, satoshitango.com, foxbit.com.br,
flowbtc.com.br, exx.com, exrates.me, excambriorex.com, ezbtc.ca,
infinitycoin.exchange, tdax.com, stex.com, vbtc.exchange, coinmarketcap.com,
vwlpro.com, nocks.com, nlexch.com, novaexchange.com, mynxt.info, nzbcx.com,
nevbit.com, mixcoins.com, mr.exchange, neraex.pro, dsx.ukO, okcoin.com,
liquid.com, quoine.com, quadrigacx.com, rightbtc.com, rippex.net,
ripplefox.com, qryptos.com, ore.bz, openledger.info, omnidex.io,
paribu.com, paymium.com, dcexchange.ru, dcexe.com, bitmex.com, funpay.ru,
bitmaszyna.pl, bitonic.nl, bitpanda.com, bitsblockchain.net, bitmarket.net,
bitlish.com, bitfex.trade, blockchain.com, blockchain.info, cryptofresh.com,
btcmarkets.net, braziliex.com, btc-trade.com.ua, btc-alpha.com, bitspark.io,
bitso.com, bittylicious.com, altcointrader.co.za, arenabitcoin.com,
allcoin.com, 796.com, abucoins.com, aidosmarket.com, bitcointrade.com,
bitcointoyou.com, bitbanktrade.jp, big.one, bcex.ca, bitconnect.co,
coinsbank.com, coinsecure.in, coinsquare.com, coinspot.io, coinsmarkets.com,
crypto-bridge.org, dcex.com, dabtc.com, decentrex.com, deribit.com,
dgtmarket.com, btcturk.com, btcxindia.com, bt.cx, bitstarcoin.com,
coincheck.com, coinmate.io, coingi.com, coinnest.co.kr, coinrail.co.kr,
coinpit.io, coingather.com, coinfloor.co.uk, coinegg.com, coincorner.com,
coinexchange.io, pancakeswap.finance, coinbase.com, livecoin.net,
mercatox.com, cryptobridge.freshdesk.com, volabit.com, tradeogre.com,
bitkub.com, uphold.com, wallet.uphold.com, login.blockchain.com, tidex.com,
coinome.com, coinpayments.net, bitmax.io, bitbank.cc, independentreserve.com,
bitmart.com, cryptopia.co.nz, cryptonator.com, advcash.com,
my.dogechain.info, spectrocoin.com, exir.io, exir.tech, coinbene.com,
bitforex.com, gopax.co.kr, catex.io, vindax.com, coineal.com, maicoin.com,
finexbox.com, etherflyer.com, bx.in.th, bitopro.com, citex.co.kr,
coinzo.com, atomars.com, coinfinit.com, bitker.com, dobitrade.com,
btcexa.com, satowallet.com, cpdax.com, trade.io, btcnext.io, exmarkets.com,
btc-exchange.com, chaoex.com, jex.com, therocktrading.com, gdac.com,
southxchange.com, tokens.net, fexpro.net, btcbox.co.jp, coinmex.com,
cryptology.com, cointiger.com, cashierest.com, coinbit.co.kr, mxc.com,
bilaxy.com, coinall.com, coindeal.com, omgfin.com, oceanex.pro,
bithumb.com, ftx.com, shortex.net, coin.z.com, fcoin.com, fatbtc.com,
tokenize.exchange, simex.global, instantbitex.com
- Domain names list associated with financial institutions:
ncsecu.org, penfed.org, becu.org, schoolsfirstfcu.org, firsttechfed.com,
golden1.com, alliantcreditunion.org, americafirst.com, suncoastcreditunion.com,
secumd.org, safecu.org, missionfed.com, greendot.com, firsttechfed.com,
americafirst.com, rbfcu.org, macu.com, dcu.org, ssfcu.org, bethpagefcu.com,
starone.org, alaskausa.org, sdccu.com, aacreditunion.org, lmcu.org,
teachersfcu.org, patelco.org, esl.org, onpointcu.com, logixbanking.com,
psecu.com, deltacommunitycu.com, ent.com, cefcu.com, greenstate.org,
unfcu.org, pffcu.org, wingsfinancial.com, iccu.comdesertfinancial.com,
iccu.com, desertfinancial.com, hvfcu.org, wpcu.coop, redwoodcu.org,
tcunet.com, wsecu.org, joviafinancial.com, coastal24.com, myeecu.org,
gecreditunion.org, nymcu.org, affinityfcu.com, towerfcu.org, safecu.org,
ccu.com, communityamerica.com, langleyfcu.org, credithuman.com, techcu.com,
gecu.com, kfcu.org, applefcu.org, nasafcu.com, sfcu.org, genisyscu.org,
unifyfcu.com, apcocu.org, firstcommunity.com, unitedfcu.com, fairwinds.org,
ufcu.org, wescom.org, missionfed.com, bcu.org, vacu.org, citadelbanking.com,
servicecu.org, summitcreditunion.com, secumd.org, gesa.com, chevronfcu.org,
traviscu.org, uwcu.org, communityfirstcu.org, ecu.org, sccu.com, bfsfcu.org,
bellco.org, dfcufinancial.com, msufcu.org, members1st.org, landmarkcu.com,
kinecta.org, midflorida.com, visionsfcu.org, veridiancu.org,
statefarmfcu.com, tinkerfcu.org, sefcu.com, americanheritagecu.org,
robinsfcu.org, canvas.org, growfinancial.org, truliantfcu.org,
fairwinds.org, ascend.org, foundersfcu.com, calcoastcu.org, ucu.org,
connexuscu.org, slfcu.org, numericacu.com, eecu.org, georgiasown.org,
nusenda.org, tvacreditunion.com, pcu.org, msgcu.org, nuvisionfederal.com,
trumarkonline.org, navigantcu.org, ornlfcu.com, jscfcu.org, lgfcu.org,
elevationscu.com, gtefinancial.org, chartway.com, ecu.com, sdfcu.org,
apcu.com, schools.org, metrocu.org, campuscu.com, adviacu.org, psfcu.com,
andrewsfcu.org, eglinfcu.org, imcu.com, americaneagle.org, ttcu.com,
vantagewest.org, empowerfcu.com, rfcu.com, capcomfcu.org, arizonafederal.org,
csecreditunion.com, communityfirstfl.org, bayportcu.org, gwcu.org, wecu.com
- Domain names list for online shopping
amazon.com, netspend.com, online.citi.com
- Domain names list that appear to be associated with Australian financial institutions
stgeorge.com.au, imb.com.au, ing.com.au, bankofmelbourne.com.au,
regionalaustraliabank.com, suncorp.com.au, regionalaustraliabank.com.au
- Domain names list other than Amazon's .com
amazon.it, amazon.ca, amazon.de
- Domain name of Paypal
paypal.com
- Domain names list for cloud services
cloud.ibm.com, ca.ovh.com, account.alibabacloud.com, cloud.huawei.com,
cloud.tencent.com, vultr.com, aws.amazon.com, portal.azure.com,
digitalocean.com, console.scaleway.com, hetzner.com, linode.com,
oracle.com, rackspace.com, phoenixnap.com, leaseweb.com, sso.ctl.io,
ctl.io, lumen.com
- Domain names list associated with Canadian financial institutions
bmo.com, cwbank.com, royalbank.com, vancity.com, servus.ca,
coastcapitalsavings.com, alterna.ca, interiorsavings.com,
synergycu.ca, mainstreetcu.ca
- Domain names list of cryptocurrency exchanges.(2) (Some overlap with previous lists. The reason is unknown.)
binance.com, ascendex.com, kraken.com, huobi.com, coinbase.com,
kucoin.com, hitbtc.com, gate.io, crypto.com, mercatox.com, coins.ph,
coins.th, poloniex.com, bittrex.com, bitpanda.com, exmo.com, dogechain.info,
luno.com, bitkub.com, blockchain.com, livecoin.net, miningpoolhub.com,
bitfinex.com
- Domain names list of cryptocurrency exchanges.(3) (Some overlap with previous lists. The reason is unknown.)
yobit.net, yobit.io, zb.com, okex.com, bitstamp.net, bitflyer.com,
coinone.co.kr, localbitcoins.com, korbit.co.kr, bitmex.com,
cryptobridge.freshdesk.com, volabit.com, tradeogre.com, uphold.com,
tidex.com, coinome.com, bitso.com, coinpayments.net, coinexchange.io,
bitmax.io, btc-alpha.com, bitbank.cc, independentreserve.com, bitmart.com,
exmo.com, cex.io, coinbase.com, cryptopia.co.nz, cryptonator.com,
advcash.com, spectrocoin.com, exir.io, exir.tech, coinbene.com,
bitforex.com, gopax.co.kr, catex.io, vindax.com, coineal.com, maicoin.com,
finexbox.com, etherflyer.com, bx.in.th, bitopro.com, lbank.info,
citex.co.kr, coinzo.com, atomars.com, coinfinit.com, bitker.com,
btc-trade.com.ua, dobitrade.com, btcexa.com, satowallet.com, cpdax.com,
trade.io, btcnext.io, exmarkets.com, localtrade.cc, btc-exchange.com,
chaoex.com, jex.com, therocktrading.com, gdac.com, southxchange.com,
tokens.net, fexpro.net, btcbox.co.jp, coinmex.com, cryptology.com,
kuna.io, cointiger.com, cashierest.com, liquid.com, coinbit.co.kr,
mxc.com, bilaxy.com, coinall.com, coindeal.com, omgfin.com, stex.com,
oceanex.pro, bithumb.com, ftx.com, shortex.net, coin.z.com, fcoin.com,
fatbtc.com, tokenize.exchange, simex.global, instantbitex.com,
btcmarkets.net
- Unknown domain names list.
cu.com, fcu.com
- Domain names list associated with United States financial institutions
robinhood.com, navyfederal.org
- Hotel reservation-related domain names list
tboholidays.com, 24x7rooms.com, adonis.com, abreuonline.com,
almundo.com.ar, bonotel.com, bookohotel.com, didatravel.com,
dotwconnect.com, eetglobal.com, escalabeds.com, fastpayhotels.com,
getaroom.com, goglobal.travel, hoteldo.com.mx, hotelspro.com,
jumbonline.com, kaluahtours.com, lci-euro.com, lotsofhotels.com,
mikinet.co.uk, misterroom.com, nexustours.com, olympiaeurope.com,
paximum.com, restel.es, rezserver.com, rezlive.com, sunhotels.com,
totalstay.com, travco.co.uk, travellanda.com, smyrooms.com,
welcomebeds.com, yalago.com, hotelbeds.com
- Domain names list for mail order and financial services in Mexico
mercadolibre.com.mx, hsbc.com.mx, bbvanetcash.mx, scotiabank.com.mx,
santander.com.mx, bbva.mx
- Domain name of Al Habib bank(Pakistan )
bankalhabib.com
- Domain names list of NFT services.
opensea.io, plantvsundead.com, axieinfinity.com, cryptocars.me,
bombcrypto.io, cryptoplanes.me, cryptozoon.io
- Spanish postal and banking domain names list
correosprepago.es, orangebank.es
