PrivateLoader Trojan

Unknown cybercriminals have been offering a powerful loader strain to other hacker outfits in a pay-per-install scheme. This means that the creators of the threat receive payments from their customers, based on the number of victims and successfully breached devices. The threat is being tracked as PrivateLoader and has been used in attack operations since at least May 2021.

Loader malware strains are typically used in the early stages of the attacks and act as a delivery system for more threatening next-stage corrupted payloads. When it comes to PrivateLoader specifically, it has been observed to fetch and deploy Smokeloader, Redline and Vidar variants.

Smokeloader possesses similar loader functionality but it also can perform data theft and reconnaissance activities. Vidar is classified as spyware and is capable of extracting various data, such as passwords, sensitive documents and digital wallet details. As for Redline, it is a threat, which is focused on collecting victims' credentials.

Distribution and Details

According to a report published by the researchers at Intel 471, PrivateLoader is mostly distributed through compromised download sites and cracked software products. These weaponized versions of popular software applications may be bundled alongside supposed key generators, programs that allow users to illegally unlock the full functionality of specific applications without paying for a certificate or subscription.

The initial vector of comprising could involve a JavaScript triggered upon clicking the download buttons on the breached websites. As a result, a compromised .ZIP archive will be dropped on the user's system. It will contain an executable file that upon being launched will trigger several malware threats, including PrivateLoader.

Management of the threat is carried out via an administrator panel created with AdminLTE 3. The attackers can pick the payload delivered via the loader, the targeted locations and countries, the download links for the threatening payload, the used encryption for communication with the Command-and-Control (C2, C&C) servers and more.