PrivateLoader: Analyzing the Encryption and Decryption of a Modern Loader 


PrivateLoader analysis introduction 

PrivateLoader is a malicious loader family, written in C++ and first discovered in early 2021. 

It is known for distributing a wide range of malware, from simple information stealers to complex rootkits and spyware, utilizing payloads. 

The distribution of this type of malware is managed by the Pay-Per-Install (PPI) service, a popular tool within the cybercriminal ecosystem that generates revenue by adding payloads to malware. 

  • The code itself involves the decryption of loaded libraries. 
  • At present, there are two versions of PrivateLoader available: one protected by VMProtect, and a regular version. 
  • Every day, between 2 and 4 samples of this malware are uploaded. 

Read more…