NetDooka framework distributed via a pay-per-install (PPI) malware service

Pierluigi Paganini May 06, 2022

Researchers discovered a sophisticated malware framework, dubbed NetDooka, distributed via a pay-per-install (PPI) malware service known as PrivateLoader.

Trend Micro researchers uncovered a sophisticated malware framework dubbed NetDooka that is distributed via a pay-per-install (PPI) service known as PrivateLoader and includes multiple components, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its protocol for C2 communication. 

The PrivateLoader malware is a downloader used by threat actors for downloading and installing multiple malware. Some of the malware families distributed via PPI services include SmokeLoader, RedLine, and Anubis.


The attack chain starts when a user downloads PrivateLoader, usually through pirated software, then the NetDooka malware is installed to act as a dropper for additional components.

The researchers pointed out that the framework is still under development.

The loader performs a set of checks to avoid being executed in a virtual environment, it might also install a kernel driver for future use.

“Upon execution, the loader will deobfuscate strings, such as the command-and-control (C&C) server address, and check for the command-line arguments that were passed. The malware accepts multiple arguments that indicate what action should be taken.” reads a report published by Trend Micro. The malware used a function called “DetectAV()” to determine the antivirus solution installed on the system and uninstall it.

001Uninstalls Avira programs
004Uninstalls Viper programs
006Uninstalls Total 360 programs
007Uninstalls ESET programs
008Uninstalls GData programs
embeddedDownloads the dropper component and renames it to reloadbitex.exe
correctExecutes the dropper component and blocks antivirus vendor domains
<No ARG>Downloads the dropper component and executes itself using the “embedded” and “correct” arguments

One of the dropper component analyzed by Trend Micro is the downloaded malware which is executed by the loader. This dropper is responsible for decrypting and executing the final payload, a RAT that implements multiple capabilities such as starting a remote shell, grabbing browser data, taking screenshots, and gathering system information. It can also start the installed kernel driver component to protect the dropped payload.

The final payload, the NetDookaRAT, supports multiple functions such as executing shell commands, performing distributed denial-of-service (DDoS) attacks, downloading and executing files, logging keystrokes on the infected machine, and performing remote desktop operations.

“PPI malware services allow malware creators to easily deploy their payloads. The use of a malicious driver creates a large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as protecting processes and files, bypassing antivirus programs, and hiding the malware or its network communications from the system, among others.” concludes the analysis. “Furthermore, with the RAT payload properly installed, malicious actors can perform actions such as stealing several critical information from the infected systems, gaining remote control access to the system, and creating botnet networks. “

Please vote for Security Affairs as the best European Cybersecurity Blogger Awards 2022 – VOTE FOR YOUR WINNERS
Vote for me in the sections “The Underdogs – Best Personal (non-commercial) Security Blog” and “The Tech Whizz – Best Technical Blog” and others of your choice.
To nominate, please visit:  

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, NetDooka)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment