[ad_1]
A new malware framework known as NetDooka has been discovered that is distributed via the PrivateLoader pay-per-install (PPI) malware distribution service, allowing threat actors full access to an infected device.
This previously undocumented malware framework features a loader, a dropper, a protection driver, and a powerful RAT component that is based on a custom network communication protocol.
The first samples of NetDooka were discovered by researchers at TrendMicro, who caution that while the tool is still in an early stage of development, it is already very capable.
The fact that it is distributed via the PrivateLoader malware distribution service reflects this power, as its authors considered the malware ready for large-scale deployment.
Implementation of PrivateLoader
The PrivateLoader PPI service was first detected a year ago and analyzed by Intel471 in February 2022. In short, it is a malware distribution platform that relies on SEO poisoning and linked files uploaded to torrent sites.
It has been observed to distribute a wide variety of malware including Raccoon Stealer, Redline, Smokeloader, Vidar, Mars Stealer, Trickbot, Danabot, Remcos and other varieties of malware.
TrendMicro analysts detected that NetDooka took over the infection chain after being placed on the victim’s machine in recent operations.
First, it decrypts and runs a loader, checking the Windows Registry for any antivirus tools that will be removed or disabled.
A malicious set of drivers is then installed to act as kernel-mode protection for the RAT component, preventing the removal of the payload or the termination of its processes.
Finally, the framework establishes a communications link with C2 to obtain the final payload, NetDooka RAT. Trend Micro notes that in some cases, PrivateLoader removes the RAT directly.
Net Dooka Rat
Before entering normal operating mode, NetDooka RAT checks if it is running in an analysis environment and if a copy of itself already exists on the system.
The RAT receives commands over TCP and supports a variety of functions, such as performing file actions, logging keystrokes, executing shell commands, using host resources for DDoS attacks, or performing remote desktop operations.
The full list of supported features is provided below:
- Exfiltrate system information
- Send session ID
- Send Message
- reverse shell
- DDoS attack
- Send file
- Download file
- Copy browser data
- Copy browser data
- Start HVNC
- Submit record
- microphone pickup
- Start Virtual Network Computing (VNC)
- Capture webcam
Communication between C2 and NetDooka RAT is based on a custom protocol, with the packets exchanged resembling the following format:
Because NetDooka is at an early stage of development, any of the above may change soon and there are already variants out there that have different feature sets.
Right now, it is a tool that threat actors could use to establish short-term persistence and conduct espionage and information theft operations.
However, since it embeds a loader as part of the malware framework, it could potentially obtain other strains of malware in addition to its own RAT component.
[ad_2]