This blog post comes from the “Cylance Ransomware Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.

Summary

The realm of cybersecurity is perpetually challenged by the evolution and sophistication of cyber threats, among which the Pay-Per-Install (PPI) malware services stand as a significant and enduring component. These services, deeply entrenched in the cybercrime ecosystem, have streamlined the monetization of malicious software installations, posing a persistent threat to digital security. This report delves into the intricate workings of such a service, with a particular focus on the technical analysis of PrivateLoader, a notable player in this nefarious field.

Pay-Per-Install services operate on a simple yet effective business model: a malware operator provides the service operator with a payload, a specified number of installations, and targeted geographical locations. The service operators, in turn, are tasked with the distribution of the malware, adhering to the customer’s specifications. This transactional nature of malware distribution not only simplifies the process for

cybercriminals but also broadens the reach and impact of their malicious activities. The moderate costs and ease of access to these services have enabled malware operators to utilize them as a potent tool for widespread, targeted, and rapid deployment of various malware types.

This report aims to provide a comprehensive technical analysis of PrivateLoader, exploring its operational mechanisms, distribution strategies, and the broader implications of its activities within the cybercrime ecosystem. By dissecting this malware, we seek to offer valuable insights into its functionality, thereby contributing to the development of more effective cybersecurity measures against such advanced threats.

While PrivateLoader is the starting point for the distribution of many types of malware, there has recently been an increase in the distribution of the RiseProStealer malware, which was developed for information theft. For this reason, the report we have prepared includes an in-depth technical analysis of the RiseProStealer malware, which is the final payload intended to be dropped on the target system, together with the PrivateLoader used as a dropper.

In the ever-evolving landscape of cyber threats, the emergence of the RisePro Stealer malware marks a significant milestone in the sophistication and capabilities of malicious software targeting digital assets and personal information. RisePro Stealer, identified in 2022, has rapidly gained notoriety for its advanced mechanisms and effectiveness in infiltrating systems and exfiltrating sensitive data. Its emergence is a testament to the continuous innovation among cybercriminals and the escalating challenges faced by cybersecurity professionals.

Scope

Infection Chain

Mitigation Strategies

• Keep all software, including operating systems and applications, up-to-date with the latest patches.
• Use web filters to block access to malicious websites.
• Consider using ad blockers to prevent malvertising attacks.
• Implement robust spam filters to prevent phishing emails from reaching users.
• Scan email attachments for malware before they can be opened.
• Train users to recognize and report suspicious emails.
• Use both hardware and software firewalls to monitor and control incoming and outgoing network traffic.
• Ensure that your antivirus software provides real-time scanning and threat detection.

Download YARA Rules and IoCs from GitHub.

This blog post comes from the “Mystic Stealer Technical Analysis Report” by the Brandefense Research Team. For more details about the analysis, download the report.