Elain Brown Tech 05.05.2022 19:May PM EDT

Newly Discovered Malware NetDooka Infects Users Through Search Results

NetDooka is a highly sophisticated malware recently discovered by researchers.

The malware is spread through a pay-per-install (PPI) service. It has several parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that communicates with the host computer using its own network communication protocol.

NetDooka Malware

When NetDooka infects a user's device, it infiltrates heavily.

The malware has the capability of performing tasks that violate a user's privacy.

According to Bleeping Computer, NetDooka is capable of sending messages, downloading files, recording microphone audio, capturing images from the webcam, copying browser data, and so much more.

Threat actors can gain complete control over an infected device due to this new malware framework.

The malware has been discovered and distributed through the PrivateLoader pay-per-install (PPI) malware distribution service.

There are several components to this formerly unknown malware framework. These include a loader, a dropper, a protection driver, and a powerful remote administration tool (RAT) that uses a proprietary network connection protocol.

The design of the malware's functions looks like it is intended for widespread distribution. How? Because NetDooka is being distributed through the PrivateLoader malware distribution service. This only goes to show the severity it can cause.

Another unique feature of the virus is that it can trigger the spread of a wide range of malware, including Raccoon Stealer, Redline, Smokeloader, Vidar, Mars Stealer, Trickbot, Danabot, Remcos, and many other types of malware.

Additionally, it also has the ability to scan an infected device and bypass any antivirus tools, and if there are any, they will soon be eliminated or disabled.

To keep the RAT component from being deleted or its processes shut down, it is designed to function and install malicious drivers. This means that you can't remove NetDooka or shut down its processes because the drivers are malicious.

How NetDooka Attacks

The infection process begins when a user unintentionally downloads PrivateLoader, which is typically obtained through pirated software downloads.

This is followed by the installation of the first NetDooka malware, which is a dropper component that is responsible for decrypting and running the loader component.

In order to ensure that it is not executing in a virtual environment, the loader then downloads another virus from a remote server, which is then executed by the loader. It may also include the installation of a kernel driver for future use.

The NetDooka malware that has been downloaded is yet another dropper component that will be executed by the loader. This dropper is in charge of decrypting and running the final payload, which is a full-featured RAT with many features, including the ability to create a remote shell, steal browser data, take screenshots, and gather system information, among others. It may also start the kernel driver component that was already running in order to protect the dropped payload.

As reported by TrendMicro, malware writers can quickly deploy their payloads using PPI malware services. The use of a rogue driver opens up a wide range of ways for attackers to get into your computer. They can protect processes and files, bypass antivirus software, and hide malware or its network interactions from your computer.

Moreover, with the RAT payload correctly installed, criminal actors are able to carry out operations such as stealing a variety of crucial information from compromised systems, getting remote control access to the systems, and establishing botnets. Finally, because of NetDooka's capabilities, it can serve as an entry point for other types of malware.