NetDooka RAT
Security researchers recently discovered a new, multi-component malware that has been nicknamed NetDooka, after one of its components.
NetDooka is described as a malicious "framework" due to its multiple moving parts and modules, but at its core lies a remote access trojan (RAT). The malware is distributed using a pay-per-install service. On top of the RAT at the core of NetDooka, the framework also contains an initial loader, a dropper module, and a protection driver.
PrivateLoader, a separate piece of malware, is used for the distribution of NetDooka. PrivateLoader is a sort of a Swiss Army knife malicious tool, used to download not just NetDooka but all other malicious paid applications and modules that are served through the same central pay-per-install infrastructure and service.
In the first stage of infection, NetDooka uses a loader, which creates a new virtual desktop instance, using it to launch an uninstaller that takes care of antivirus software. At this stage, the malware emulates the mouse to interact with the uninstaller prompts.
The NetDooka RAT has a built-in module that checks whether it is running in a sandbox virtual environment, to improve its chances of avoiding analysis by security researchers. A second-stage loader is downloaded, which decrypts and finally launches the final RAT payload. This final-stage payload comprises a remote access trojan that has a number of features, including browser data exfiltration, collecting system information, and executing remote shell commands.
NetDooka includes a kernel driver that is intended to protect the ultimate payload of the RAT.
Researchers believe the malware is still in active development and several slightly different versions of NetDooka files downloaded in the initial PrivateLoader step have been observed.