New Malware Framework Distributed Via Pay-Per-Install Service

Researchers have uncovered a new malware framework that they say is fairly sophisticated and is being spread as part of the known pay-per-install (PPI) PrivateLoader malware service.

The framework, which researchers call NetDooka (due to the names of some of its components), contains multiple parts, including a loader, dropper, protection driver and a remote access trojan (RAT) with its own network communication protocol. Researchers said the malware framework’s capabilities enable it to act as an entry point for other malware.

“PPI malware services allow malware creators to easily deploy their payloads,” said Aliakbar Zahravi and Leandro Froes with Trend Micro in a Thursday analysis. “The use of a malicious driver creates a large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as protecting processes and files, bypassing antivirus programs, and hiding the malware or its network communications from the system, among others.”

PrivateLoader’s initial infection vector is typically via pirated software downloads. The downloader then installs the first NetDooka malware family, which is a dropper component that decrypts and executes the loader. The loader installs a kernel driver and then creates a new virtual desktop in order to execute an antivirus software uninstaller. It interacts with the uninstaller by emulating the mouse and pointer position, which also allows it to prepare the environment for executing other components.

“By understanding how these services proliferate, defenders can better recognize these campaigns and stop them from wreaking havoc on their organization’s IT stack.”

Then, another dropper is executed by the loader that executes a full-featured RAT. The RAT has multiple functionalities, including the abilities to start a remote shell, grab browser data, take screenshots and gather system information. It might also leverage the previously installed kernel driver component to protect the dropped payload, researchers said.

“With the RAT payload properly installed, malicious actors can perform actions such as stealing several critical information from the infected systems,…