NetDooka RAT

Security researchers recently discovered a new, multi-component malware that has been nicknamed NetDooka, after one of its components.

NetDooka is described as a malicious "framework" due to its multiple moving parts and modules, but at its core lies a remote access trojan (RAT). The malware is distributed using a pay-per-install service. On top of the RAT at the core of NetDooka, the framework also contains an initial loader, a dropper module, and a protection driver.

PrivateLoader, a separate piece of malware, is used for the distribution of NetDooka. PrivateLoader is a sort of a Swiss Army knife malicious tool, used to download not just NetDooka but all other malicious paid applications and modules that are served through the same central pay-per-install infrastructure and service.

In the first stage of infection, NetDooka uses a loader, which creates a new virtual desktop instance, using it to launch an uninstaller that takes care of antivirus software. At this stage, the malware emulates the mouse to interact with the uninstaller prompts.

The NetDooka RAT has a built-in module that checks whether it is running in a sandbox virtual environment, to improve its chances of avoiding analysis by security researchers. A second-stage loader is downloaded, which decrypts and finally launches the final RAT payload. This final-stage payload comprises a remote access trojan that has a number of features, including browser data exfiltration, collecting system information, and executing remote shell commands.

NetDooka includes a kernel driver that is intended to protect the ultimate payload of the RAT.

Researchers believe the malware is still in active development and several slightly different versions of NetDooka files downloaded in the initial PrivateLoader step have been observed.

May 10, 2022
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.