NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service

Trend Micro -

NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service

Malware

This report focuses on the components and infection chain ⁠of the NetDooka framework. Its scope ranges from the release of the first payload up until the release of the final RAT that is protected by a kernel driver.

By: Aliakbar Zahravi, Leandro Froes May 05, 2022 Read time:  ( words)

We recently encountered a fairly sophisticated malware framework that we named NetDooka after the names of some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol. During our analysis, we discovered that NetDooka was being spread via the PrivateLoader malware which, once installed, starts the whole infection chain.

As previously described by Intel471, the PrivateLoader malware is a downloader responsible for downloading and installing multiple malware into the infected system as part of the PPI service. Due to the way the PPI service works, the exact payloads that would

Read More: https://www.trendmicro.com/en_us/research/22/e/netdooka-framework-distributed-via-privateloader-ppi.html