Privateloader is changing its behavior trying to evade detection and sandbox detonations. I’ve been observing this in the recent days and its time to update rules.
A common detonation since this day is something like this:
Build gets to /tracemap.php and then communicates with /firegate.php in order to load executables.
ET rule “ET MALWARE Win32/BeamWinHTTP CnC Activity M2 (GET)” was helping to detect privateloader related traffic.
At December 20th, this behavior changed and now Privateloader builds gets to /bing_release.php and then communicates with /flash.php in order to load executables. Please note the sandbox detection by this priavteloader builds and the drop in the executables being load.
Examples on new behavior:
Analysis https://akaktif.com/server/release.rar Malicious activity - Interactive analysis ANY.RUN
Analysis https://pablomirandaarquitecto.cl/wp-upload/setup.rar?ee=file.zip Malicious activity - Interactive analysis ANY.RUN
Analysis https://acsship.com/server/release.rar Malicious activity - Interactive analysis ANY.RUN
MITM
Analysis https://bytebreez.com/wp/setup.rar Malicious activity - Interactive analysis ANY.RUN
It is need an update on ET rules in order to detect this new communications between privateloader builds and c2s (because there is currently no detection).
Thank you!