Experts found an advanced malware framework and it has named it as NetDooka because of a few components. The framework is deployed via a pay-per-install (PPI) service and includes various parts, which include a loader, a dropper, a full-featured remote access Trojan (RAT), and a protection driver that deploys its own network communication protocol. "Upon execution, the loader will deobfuscate strings, such as the command-and-control (C&C) server address, and check for the command-line arguments that were passed. The malware accepts multiple arguments that indicate what action should be taken," says TrendMicro report.
NetDooka is distributed via the PrivateLoader malware which after installing, starts the exploitation chain. The report emphasizes the components and infection chain of the NetDooka framework. The scope varies from the issue of the first payload, which drops a loader that makes a new virtual desktop to deploy an antivirus software uninstaller and communicate with it by emulating the mouse and pointer position- an essential step to complete the uninstallation process and make an environment for executing other components- until the launch of the final RAT that is guarded by a kernel driver.
The infection starts after a user unknowingly downloads PrivateLoader, generally via pirated software sites, after that, NetDooka malware gets installed, a dropper component that results in decrypting and implementing the loader component. The loader starts various checks to make sure that the malware isn't working in a virtual environment, following that it installs another malware through a remote server. It can also download a kernel driver that can be used later.
The downloaded malware is another dropper component that a loader executes, it is responsible for decryption and execution of the final payload, a RAT has multiple features like executing a remote shell, getting browser data, capturing screenshots, and accessing system information. TrendMicro says "If no parameter is passed to the loader, it executes a function called “DetectAV()” that queries the registry to automatically identify the antivirus products available in order to uninstall them."