Home / About / Threat Intelligence / New malware strain NetDooka deployed by PrivateLoader

Overview

Researchers at Trend Micro have documented a new malware framework they’ve seen distributed via the PrivateLoader Pay-Per-Install (PPI) service.

Victims were seen to receive a NetDooka dropper from PrivateLoader, which is responsible for decrypting and executing the loader.

The NetDooka loader has some anti-detection features to check for virtual environments and then it downloads another dropper which downloads and decrypts the main Remote Access Trojan (RAT) payload.

PrivateLoader PPI service has also been seen installing SmokeLoader, RedLine and Anubis.

Impact

The NetDooka malware contains a RAT which can allow an attacker full control over the victim’s machine, with a variety of prewritten modules to support various malicious actions.

Vulnerability Detection

The initial PPI installer usually comes from tricking a user into running the malware. Often this comes bundled with pirated software.

Containment, Mitigations & Remediations

An endpoint detection and response (EDR) system should detect and prevent this from running, but IT policies and user education can help prevent malicious actors from getting an initial foothold.

Indicators of Compromise

NetDooka

4d94232ec587f991017ed134ea2635e85c883ca868b96e552f9b5ac5691cdaf5 81dbe7ff247d909dc3d6aef5b5894a153886955a9c9aaade6f0e9f47033dc2fb 28ad0bc330c7005637c6241ef5f267981c7b31561dc7d5d5a56e24423b63e642 50ab75a7c8685f9a87b5b9eb7927ccb7c069f42fb7427566628969acdf42b345 85e439e13bcd714b966c6f4cea0cedf513944ca13523c7b0c4448fdebc240be2 c64a551e5b0f74efcce154e97e1246d342b13477c80ca84f99c78db5bfeb85ef 8fa89e4be15b11f42e887f1a1cad49e8c9c0c724ae56eb012ac5e529edc8b15c 531f6cb76127ead379d0315a7ef1a3fc61d8fff1582aa6e4f77cc73259b3e1f2 44babb2843da68977682a74675c8375da235c75618445292990380dbc2ac23af 64be1332d1bf602aaf709d30475c3d117f715d030f1c38dee4e7afa6fa0a8523 91791f8c459f32dc9bf6ec9f7ee157e322b252bc74b1142705dcc74fe8eced7e a49769b8c1d28b5bb5498db87098ee9c67a94d79e10307b67fe6a870c228d402 43dcf8eea02b7286ba481ca84ec1b4d9299ba5db293177ff0a28231b36600a22 d20576f0bd39f979759cde5fb08343c3f22ff929a71c3806e8dcf0c70e0f308b 76ed2ef41db9ec357168cd38daeff1079458af868a037251d3fec36de1b72086 40ee0bd60bcb6f015ad19d1099b3749ca9958dd5c619a9483332e95caee42a06 1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72 2e37495379eb1a4dfae883d1e669e489877ed73f50ae26d43b5c91d6c7cb5792 8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e 5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54 bfc99c3f76d00c56149efcf75fd73497ec62b1ed53e12d428cf253525f8be8d0 ed98187a0895818dfa6b583463b8a6d13ebc709d6dd219b18f789e40a596e40e 94fb2969eae7cce75c44c667332dacace155369911b425c50476d90528651584 07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4 62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232 73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5 ab7d39e34ad51bc3138fb4d0f7dedc4668be1d4b54a45c385e661869267ef685 c54a492d086930eb4d9cd0233a2f5255743b6dde22a042f2a2800f2c8fe82ce8 f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70 55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431 ed092406a12d68eac373b2ddb061153cb8abe38e168550f4f6106161f43dcafe ba563dfaf572aa5b981043af3f164a09f16a2cf445498d52b299d18bb37ce904 796df2ad288455a4047a503b671d5970788b15328ce15b512c5e3403b0c39a61 60bf7b23526f36710f4ef589273d92cc21d45a996c09af9a4be52368c3233af6 557f35cfdd1606d53d6a3ae8d9f86013b4953c5e1c6fabc2faa57d528c895694 cdf3aaa9134dc1c5523902afed3ff029574f9c13bc7105c77df70d20c9312288 85d3b0b00759d7b2c7810c65cdae7fcfe46f3a9aec9892c11156d61c99c2d92e 5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace

hxxp://93.115.21[.]45 hxxp://89[.]38[.]131[.]155

hxxp://data-file-data-18[.]com hxxp://file-coin-coin-10[.]com

PrivateLoader

aa2c0a9e34f9fa4cbf1780d757cc84f32a8bd005142012e91a6888167f80f4d5 077225467638a420cf29fb9b3f0241416dcb9ed5d4ba32fdcf2bf28f095740bb

hxxp://45.144.225[.]57/server.txt hxxps://pastebin[.]com/raw/A7dSG1te hxxp://wfsdragon[.]ru/api/setStats.php hxxps://cdn.discordapp[.]com/attachments/934006169125679147/963471252436172840/PL_Client.bmp

212.193.30[.]21 2.56.59[.]42

/base/api/statistics.php /base/api/getData.php

PrivateLoader Payloads

14e7cc2eadc7c9bac1930f37e25303212c8974674b21ed052a483727836a5e43 4554dc95f99d6682595812b677fb131a7e7c51a71daf461a57a57a0d903bb3fa 4ed7609cbb86ea0b7607b8a002e7f85b316903c3b6801240c9576aae8b3052ff 5adbe8d0375d6531f1a523085f4df4151ad1bd7ae539692e2caa3d0d73301293 6abbd89e6ab5e1b63c38a8f78271a97d19bafff4959ea9d5bd5da3b185eb61e6 929a591331bdc1972357059d451a651d575166f676ea51daaeb358aa2a1064b7 aae0553b761e8bb3e58902a46cd98ee68310252734d1f8d9fd3b862aab8ed5c9 bf7b5f72b2055cfc8da01bb48cf5ae8e45e523860e0b23a65b9f14dbdbb7f4ee eef15f6416f756693cbfbfd8650ccb665771b54b4cc31cb09aeea0d13ec640cf f9246be51464e71ff6b37975cd44359e8576f2bf03cb4028e536d7cfde3508fc fcc49c9be5591f241ffd98db0752cb9e20a97e881969537fba5c513adbd72814

Threat Landscape

PPI software used to be mostly about adware but more recently the trend has been towards installing more malicious payloads.

NetDooka appears to be in early development and capabilities are expected to expand over time.

Mitre Methodologies

PrivateLoader

T1053.005Scheduled Task/Job: Scheduled Task

T1176 – Browser Extensions

T1543.003Create or Modify System Process: Windows Service

T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control

T1608.001 – Stage Capabilities: Upload Malware

NetDooka

T1056.001 – Input Capture: Keylogging

T1021.001Remote Services: Remote Desktop Protocol

T1021.005Remote Services: VNC

T1125 – Video Capture

T1140 – Deobfuscate/Decode Files or Information

T1498.001Network Denial of Service: Direct Network Flood

Further Information

NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service

Peeking into PrivateLoader

PrivateLoader: The first step in many malware schemes

The Underground Economy of the Pay-Per-Install (PPI) Business