A pay-per-install (PPI) malware service often called PrivateLoader has been noticed distributing a “fairly sophisticated” framework referred to as NetDooka, granting attackers full management over the contaminated units.
“The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol,” Trend Micro mentioned in a report revealed Thursday.
PrivateLoader, as documented by Intel 471 in February 2022, capabilities as a downloader answerable for downloading and putting in extra malware onto the contaminated system, together with SmokeLoader, RedLine Stealer, Vidar, Raccoon, GCleaner, and Anubis.
Featuring anti-analysis strategies, PrivateLoader is written within the C++ programming language and is alleged to be in energetic growth, with the downloader malware household gaining traction amongst a number of risk actors.
PrivateLoader infections are sometimes propagated by means of pirated software program downloaded from rogue web sites which might be pushed to the highest of search outcomes by way of SEO (search engine optimization) poisoning strategies.
“PrivateLoader is currently used to distribute ransomware, stealer, banker, and other commodity malware,” Zscaler famous final week. “The loader will likely continue to be updated with new features and functionality to evade detection and effectively deliver second-stage malware payloads.”
The framework, nonetheless in its growth section, comprises completely different modules: a dropper, a loader, a kernel-mode course of and file safety driver, and a distant entry trojan that makes use of a customized protocol to speak with the command-and-control (C2) server.
The newly noticed set of infections involving the NetDooka framework commences with PrivateLoader performing as a conduit to deploy a dropper part, which then decrypts and executes a loader that, in flip, retrieves one other dropper from a distant server to put in a full-featured trojan in addition to a kernel driver.
“The driver component acts as a kernel-level protection for the RAT component,” researchers Aliakbar Zahravi and Leandro Froes mentioned. “It does this by attempting to prevent the file deletion and process termination of the RAT component.”
The backdoor, dubbed NetDookaRAT, is notable for its breadth of performance, enabling it to run instructions on the goal’s machine, perform distributed denial-of-service (DDoS) assaults, entry and ship information, log keystrokes, and obtain and execute extra payloads.
This signifies that NetDooka’s capabilities not solely permit it to behave as an entry level for different malware, however can be weaponized to steal delicate data and type remote-controlled botnets.
“PPI malware services allow malware creators to easily deploy their payloads,” Zahravi and Froes concluded.
“The use of a malicious driver creates a large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as protecting processes and files, bypassing antivirus programs, and hiding the malware or its network communications from the system.”