Pay-per-install (PPI) networks are a type of cybercrime business model that involves paying affiliates to distribute malware to unsuspecting users. PPI networks are responsible for spreading various types of malicious programs, such as ransomware, information stealers, banking trojans, downloaders, and other commodity malware. In this blog post, we will dive into the dark world of PPI networks, with PrivateLoader serving as a case study. We will explain how these networks operate, the types of malware they distribute, and the implications for both users and the broader internet ecosystem.

What are PPI networks and how do they work?

PPI networks are a form of online advertising that pays affiliates to install software on users’ devices. However, unlike legitimate software distribution platforms, PPI networks often use deceptive or coercive methods to trick or force users to install unwanted or harmful software. PPI networks usually operate as follows:

• A PPI provider creates or acquires a malware payload that can perform various malicious functions, such as stealing data, encrypting files, displaying ads, or downloading more malware.
• A PPI provider sets up a website or a forum where affiliates can sign up and receive the malware payload, usually in the form of a downloader or a loader. The PPI provider also offers various tools and services to help affiliates customize, obfuscate, and distribute the malware payload.
• An affiliate signs up to a PPI network and receives the malware payload. The affiliate then uses various methods and channels to spread the malware payload to potential victims, such as bundling it with legitimate software, uploading it to file-sharing or torrent sites, sending it via email or social media, or embedding it in malicious web pages or ads.
• A user downloads and executes the malware payload, either knowingly or unknowingly. The malware payload then contacts the PPI provider’s server and downloads and executes the final malware payload, which can be different depending on the user’s location, device, or behavior.
• The PPI provider tracks the number of successful installs and pays the affiliate a certain amount per install, usually ranging from a few cents to a few dollars. The PPI provider also collects a commission from the malware operators who use the PPI network to distribute their malware.

What is PrivateLoader and what types of malware does it distribute?

PrivateLoader is a downloader malware family that was first identified in early 2021 by Intel 471 and Walmart . The loader’s primary purpose is to download and execute additional malware as part of a PPI malware distribution service. PrivateLoader is used by multiple threat actors to distribute ransomware, information stealers, banking trojans, downloaders, and other commodity malware. Some of the malware families that have been observed being distributed by PrivateLoader are:

• Redline Stealer: A credential and information stealer that targets browsers, cryptocurrency wallets, FTP clients, and other applications.
• Vidar Stealer: A credential and information stealer that also has a screenshot and clipboard capture functionality.
• SmokeLoader: A downloader that can download and execute various malware modules, such as keyloggers, rootkits, and backdoors.
• Stop ransomware: A ransomware family that encrypts files and appends various extensions, such as .djvu, .coot, or .nols.
• Zloader: A banking trojan that targets financial institutions and steals banking credentials, personal information, and cryptocurrency wallets.

PrivateLoader is written in the C++ programming language, and based on the existence of multiple versions it seems to be in active development. The name “PrivateLoader” comes from debugging strings that can be found in some versions of the malware, for example:

C:\Users\Young Hefner\Desktop\PrivateLoader\PL_Client\PL_Client\json.h

PrivateLoader is modularized into a loader component and a main component. The loader component contains three dead drop resolver URLs hardcoded in the malware that communicate via an HTTP GET request. The purpose of these resolvers is to retrieve PrivateLoader’s command and control (C2) address. The main component contains the logic and functionality to download and execute the final malware payload. The main component also contains various anti-analysis techniques, such as obfuscating integer constants, encrypting strings and API names, and adding junk code.

What are the implications of PPI networks for users and the internet ecosystem?

PPI networks pose a serious threat to users and the internet ecosystem, as they enable the widespread and indiscriminate distribution of malware. PPI networks have several negative implications, such as:

• Compromising the security and privacy of users: PPI networks can infect users’ devices with malware that can steal their personal and financial information, encrypt their files and demand ransom, display unwanted ads, or hijack their browser settings. PPI networks can also expose users to further attacks, such as phishing, identity theft, or fraud.
• Damaging the reputation and performance of legitimate software and platforms: PPI networks can tarnish the reputation and performance of legitimate software and platforms that are used or abused by affiliates to spread malware. For example, PPI networks can harm the trust and credibility of file-sharing or torrent sites that host malicious files, or of software developers or vendors that have their products bundled with malware.
• Disrupting the stability and availability of internet services and infrastructure: PPI networks can disrupt the stability and availability of internet services and infrastructure that are targeted or affected by malware. For example, PPI networks can contribute to the creation and expansion of botnets that can launch distributed denial-of-service (DDoS) attacks, or to the spread of worms that can consume network bandwidth and resources.

How can PPI networks and malware be detected and prevented?

PPI networks and malware can be detected and prevented by using various security tools and techniques, such as:

• Antivirus or anti-malware software: These are software programs that can scan, detect, and remove malware from devices. Antivirus or anti-malware software should be updated regularly with the latest definitions and patches to protect against new and emerging threats. Some of the antivirus or anti-malware software that can detect and remove PrivateLoader and its associated malware are:
  • Malwarebytes: This is a popular and effective anti-malware software that can detect and remove various types of malware, including PPI malware. Malwarebytes offers both a free and a premium version, with the premium version providing real-time protection, ransomware protection, and exploit protection. Malwarebytes can be downloaded from here.
  • Zscaler: This is a cloud-based security platform that provides comprehensive protection against malware, phishing, botnets, and other cyber threats. Zscaler operates as a secure web gateway that filters and analyzes all internet traffic and blocks malicious or suspicious content. Zscaler also offers a free online scanner that can check any URL or file for malware. Zscaler can be accessed from here.
  • Microsoft Defender: This is a built-in antivirus and anti-malware software that comes with Windows 10 and Windows 11. Microsoft Defender provides real-time protection, cloud-delivered protection, and offline scanning. Microsoft Defender can also detect and remove PrivateLoader and its associated malware, as shown in Figure 3. Microsoft Defender can be enabled or disabled from the Windows Security settings.
• Firewall or VPN: These are network security tools that can block or filter malicious network traffic and connections. Firewall or VPN can prevent PPI malware from contacting their C2 servers or downloading additional malware payloads. Firewall or VPN can also protect the user’s online privacy and identity by encrypting and anonymizing their network traffic. Some of the firewall or VPN tools that can protect against PPI malware are:
  • GlassWire: This is a firewall and network monitor that can visualize and manage the network activity on the device. GlassWire can alert the user of any suspicious or unusual network connections, such as those made by PPI malware. GlassWire can also block or allow specific applications or hosts from accessing the internet. GlassWire can be downloaded from here.
  • NordVPN: This is a VPN service that can encrypt and secure the user’s internet traffic. NordVPN can also hide the user’s IP address and location, and allow them to access geo-restricted or censored content. NordVPN can also protect the user from malware, phishing, and ads with its CyberSec feature. NordVPN can be downloaded from here.
  • Windows Firewall: This is a built-in firewall that comes with Windows 10 and Windows 11. Windows Firewall can filter incoming and outgoing network traffic and block or allow specific applications or ports from accessing the internet. Windows Firewall can also create custom rules to control the network activity on the device. Windows Firewall can be enabled or disabled from the Windows Security settings.
• Education and awareness: These are the most important and effective ways to prevent PPI malware infections. Education and awareness can help the user to recognize and avoid the common methods and channels used by PPI affiliates to spread malware, such as:
  • Bundling: This is the method of attaching or hiding malware within legitimate or popular software, such as games, utilities, or cracks. The user should always download software from official or trusted sources, and check the authenticity and integrity of the software before installing it. The user should also pay attention to the installation process and opt out of any unwanted or additional software or offers.
  • Social engineering: This is the method of manipulating or deceiving the user into downloading or executing malware, such as by using fake or misleading emails, links, or ads. The user should always verify the sender, source, and content of any message or link before clicking on it, and avoid opening any attachments or files from unknown or untrusted sources. The user should also use common sense and caution when encountering any offer or request that seems too good to be true or requires urgent action.

At Maagsoft Inc, we are your trusted partner in the ever-evolving realms of cybersecurity, AI innovation, and cloud engineering. Our mission is to empower individuals and organizations with cutting-edge services, training, and AI-driven solutions. Contact us at contact@maagsoft.com to embark on a journey towards fortified digital resilience and technological excellence.