Researchers have uncovered a new malware framework that they say is fairly sophisticated and is being spread as part of the known pay-per-install (PPI) PrivateLoader malware service.
The framework, which researchers call NetDooka (due to the names of some of its components), contains multiple parts, including a loader, dropper, protection driver and a remote access trojan (RAT) with its own network communication protocol. Researchers said the malware framework’s capabilities enable it to act as an entry point for other malware.
“PPI malware services allow malware creators to easily deploy their payloads,” said Aliakbar Zahravi and Leandro Froes with Trend Micro in a Thursday analysis. “The use of a malicious driver creates a large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as protecting processes and files, bypassing antivirus programs, and hiding the malware or its network communications from the system, among others.”
PrivateLoader’s initial infection vector is typically via pirated software downloads. The downloader then installs the first NetDooka malware family, which is a dropper component that decrypts and executes the loader. The loader installs a kernel driver and then creates a new virtual desktop in order to execute an antivirus software uninstaller. It interacts with the uninstaller by emulating the mouse and pointer position, which also allows it to prepare the environment for executing other components.
“By understanding how these services proliferate, defenders can better recognize these campaigns and stop them from wreaking havoc on their organization’s IT stack.”
Then, another dropper is executed by the loader that executes a full-featured RAT. The RAT has multiple functionalities, including the abilities to start a remote shell, grab browser data, take screenshots and gather system information. It might also leverage the previously installed kernel driver component to protect the dropped payload, researchers said.
“With the RAT payload properly installed, malicious actors can perform actions such as stealing several critical information from the infected systems, gaining remote control access to the system, and creating botnet networks,” said researchers.
According to researchers with Intel 471, PrivateLoader sits at the front of the PPI operation, communicating with its back-end infrastructure in order to receive URLs for the malicious payloads to deploy. The malware also communicates a number of statistics, such as which payloads were launched successfully. Other payloads downloaded by PrivateLoader on the system may differ, with families like SmokeLoader, RedLine and Anubis reportedly being previously distributed via PPI services. Researchers said that the framework’s features may still vary depending on the malware version, as it is still in its development phase.
PPI malware services, which have been around for a “considerable amount of time,” occur when a malware operator provides the payment, targeting information and malicious payloads, and those who run the service then outsource the delivery.
“The accessibility and moderate costs allow malware operators to leverage these services as another weapon for rapid, bulk and geo-targeted malware infections,” said researchers with Intel 471. “By understanding how these services proliferate, defenders can better recognize these campaigns and stop them from wreaking havoc on their organization’s IT stack.”