PrivateLoader, a pay-per-install (PPI) malware service has been flecked circulating a new and sophisticated malware framework dubbed, “NetDooka.” Malware like this has the capability of giving the attackers full control over the devices they infected.
NetDooka contains multiple parts, including:-
- Protection driver
A variety of malicious software in the form of malware is downloaded and installed by PrivateLoader into the affected systems, including:-
- RedLine Stealer
Here’s what Aliakbar Zahravi and Leandro Froes from Trend Micro stated:-
“The use of a malicious driver creates a large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as protecting processes and files, bypassing antivirus programs, and hiding the malware or its network communications from the system, among others.”
Written in C++ programming language, the PrivateLoader is a real-time application that employs anti-analysis techniques which makes it more sophisticated.
At the moment, the downloader malware family has gained wide traction among a number of different threat actors, and it is currently in active development.
Users are infected through inadvertent downloading of PrivateLoader via pirated software downloads. Once installed, the NetDooka malware is loaded, disabling encryption, and then the loader component is executed.
Next, certain checks are performed to ensure the loader is not running in a virtual environment, and from the remote server, a malicious program is downloaded.
Another element of the loader that is executed by the malware is a dropper component. It is the dropper’s responsibility to decrypt and execute the final payload, a fully-functional and powerful RAT containing several features.
Initial Infection Vector
It is primarily distributed through pirated software downloads, as this is PrivateLoader’s initial infection vector. In the process of installing NetDooka malware, the downloader also installs one of the components that will decrypt and execute the loader.
In order to execute an antivirus uninstaller, the loader installs a kernel driver, in addition to creating a virtual desktop. Besides interacting with the uninstaller, it prepares the environment for the execution of other components by emulating mouse and pointer positions.
After the loader executes the dropper, a full-featured RAT is executed by another dropper. In addition to its multiple functions, the RAT also features the following capabilities:-
- Start a remote shell
- Acquire browser data
- Take screenshots
- Gather system information
This malware is not only capable of serving as an entry point for other malware, but it is also capable of stealing sensitive information from computers and forming botnets that are remote-controlled.