Privateloader is changing its behavior trying to evade detection and sandbox detonations. I’ve been observing this in the recent days and its time to update rules.
A common detonation since this day is something like this:
Build gets to /tracemap.php and then communicates with /firegate.php in order to load executables.
ET rule “ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)” was helping to detect privateloader related traffic.
At December 20th, this behavior changed and now Privateloader builds gets to /bing_release.php and then communicates with /flash.php in order to load executables. Please note the sandbox detection by this priavteloader builds and the drop in the executables being load.
It is need an update on ET rules in order to detect this new communications between privateloader builds and c2s (because there is currently no detection).
new c2s now using port 3306 to communicate between build and c2 host, please see attached detonation focusing on PID 5356 on the new behaviour
There is interaction between c2 and host and then a encrypted string where the configuration is received from c2 host and then the load of malware is done
Both builds used in detonations were grabbed from the same malvertising ad networks used by InstallsKey PPI service, known for years and should be no problem associating the source of both builds to the same origin
There is no rule detection of this new Privateloader behavior. The old behavior has not been observed since October 5th, some old c2s were destroyed or traditional files inside them were deleted (making them obsolete). So there should be no more questions about associating this new malware behavior to traditional Privateloader builds.
I took a look at the new Privateloader run, and compared it to another run I found on any.run, that looks like it was your doing
I noticed on the 3306 communications that the infected client usually initiates the communications, and in both of these runs, the first bit of traffic is a 14 byte packet that, aside from the final 2 bytes, seems to have a 12-byte pattern that is consistent with the new privateloader run you shared in the post above. So for now, I’m using that to create a signature:
