Friday 4 October 14:30 - 15:00, Green room
Dmitrij Lenz (Google (Threat Analysis Group)) & James Wyke (Google Cloud (Mandiant))
The delivery of malicious content to potential targets still presents a substantial challenge for numerous cybercriminals. The crime ecosystem responded to this challenge through the provision of a diverse range of offers and services. Among these services, pay-per-install networks continue to be the most reliable in terms of infection rate. A comprehensive assessment of a range of PPI networks, coupled with an exhaustive analysis of their customer base, is seldom presented. Our goal is to cover this gap and provide an up-to-date map of PPI families, their architecture and associated payloads.
Over the past few years, Google’s Threat Analysis Group (TAG) and Mandiant have developed and maintained botnet emulation frameworks, which allowed us to surface the most prevalent players on the PPI market and their customers. We aim to shed light on the detrimental impact of such networks, not only on corporations but also individuals, a topic that has received less attention.
In this presentation we will explore existing PPI services and their customers. We will cover prominent families including PrivateLoader, Satacom, SmokeLoader, and platforms that are less known to the general public. Particular attention will be provided to delivery strategy and payload variety for different networks. Alongside common infostealers (LummaStealer, Rhadamanthys, etc.) we will see many interesting users of such networks. Within this cohort, certain malware families have previously been covered by Google TAG (e.g. Glupteba), while others are of a more recent nature (e.g. HijackLoad, Socks5Systemz). We will also take a look at collaboration between PPI networks and their cross-distribution. The potential correlation between the substantial prevalence among PPI payloads and the nature of the relationship between malware operators will be evaluated.
The presentation will also address challenges associated with maintaining an accurate view of various botnets. Technical issues, such as cloaking techniques and victim fingerprinting, will be explored, as well as human factors. In conclusion, our approach to effectively address these difficulties will be presented.
In essence, this presentation is a comprehensive resource for understanding the PPI ecosystem and its impact on the crime operations, which should increase the awareness in the industry and assist other security researchers in their investigations.
![]() |
Dmitrij Lenz Dmitrij Lenz is a member of the Threat Analysis Group at Google, concentrating on financially motivated threats. In his research, Dmitrij analyses the mechanisms that facilitate the operations of threat actors, including botnets, loaders, and C2 platforms, among others. Before joining Google, he had over a decade of experience in the areas of threat intelligence, malware detection, vulnerability management and incident response, serving several organizations.
|
James Wyke James Wyke leads a technical security research team for Mandiant Intelligence, now part of Google Cloud. He has been working in the security industry for nearly 20 years, trying to help make the internet a better place by breaking malware and creating a difficult environment for bad guys to operate in. |
Back to VB2024 conference page