Privateloader

Privateloader is changing its behavior trying to evade detection and sandbox detonations. I’ve been observing this in the recent days and its time to update rules.

A common detonation since this day is something like this:

Analysis https://consciencepropre.com/wp-content/uploads/release_09.rar Malicious activity - Interactive analysis ANY.RUN

Build gets to /tracemap.php and then communicates with /firegate.php in order to load executables.
ET rule “ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)” was helping to detect privateloader related traffic.

At December 20th, this behavior changed and now Privateloader builds gets to /bing_release.php and then communicates with /flash.php in order to load executables. Please note the sandbox detection by this priavteloader builds and the drop in the executables being load.

Examples on new behavior:
Analysis https://akaktif.com/server/release.rar Malicious activity - Interactive analysis ANY.RUN
Analysis https://pablomirandaarquitecto.cl/wp-upload/setup.rar?ee=file.zip Malicious activity - Interactive analysis ANY.RUN
Analysis https://acsship.com/server/release.rar Malicious activity - Interactive analysis ANY.RUN
MITM
Analysis https://bytebreez.com/wp/setup.rar Malicious activity - Interactive analysis ANY.RUN

It is need an update on ET rules in order to detect this new communications between privateloader builds and c2s (because there is currently no detection).

Thank you!

Thanks for the heads up on this! It seems this is quite a rabbit hole, will see what we can come up with for coverage.

JT

2049837 - ET MALWARE Suspected PrivateLoader Activity (POST)

Went out today, if/when we see some hits on that sig we can remove the Suspected or otherwise update it based on what we are seeing.

JT

1 Like