NetDooka Malware Detection: NetDooka Enables Data Theft and Hijacking

NetDooka Malware Framework

Adversaries utilize the PrivateLoader pay-per-install (PPI) malware distribution platform to spread a new malware framework dubbed NetDooka. This comprehensive malware framework possesses several components, such as a loader, a dropper, a kernel-mode process, a file protection driver, and a remote access trojan (RAT).

The launching element of the infection chain ⁠of the NetDooka framework is the installation of the PrivateLoader Malware. The PPI service is linked to the distribution of such malware strains as Remcos, Mars Stealer, RedLine Stealer, and Vidar, which can be dropped onto infected systems in this campaign as well.

Detect NetDooka Malware

Utilize the following rule released by our keen Threat Bounty developer Sittikorn Sangrattanapitak to detect suspicious files associated with the NetDooka framework:

Suspicious NetDooka Framework Distributed Malware via a Pay-Per-Install (PPI) service (via file event)

The detections are available for the 21 SIEM, EDR & XDR platforms, aligned with the latest MITRE ATT&CK® framework v.10., addressing the Execution tactic with User Execution as the main technique (T1204).

SOC Prime’s library of detection content hosts detection items that can be integrated with 25+ SIEM, EDR, and XDR solutions. Press the View Detections button to browse through an ever-growing collection of 185,000+ future-proof detections available for platform members.

Join Threat Bounty, SOC Prime’s crowdsourcing initiative, to share our dedication to cooperating in achieving high standards of cybersecurity processes. Adepts at cybersecurity leverage the Threat Bounty Program to unlock new possibilities for their career in the field.

View Detections Join Threat Bounty

NetDooka Framework Analysis

The first artifacts related to the NetDooka framework were described by TrendMicro’s research team in the security report released on May 05, 2022. The available data spells bad news since the security analyst alert of the NetDooka malware framework’s alarming malicious potential despite it’s still undergoing the development phase.

Distributed via a PrivateLoader PPI malware distribution platform, the NetDooka malware enables its operators to take over the victim’s system, i.e., perform remote desktop operations, logging keystrokes, run shell commands, launch DDoS attacks, and manage machine’s data. Infections with PrivateLoader are spread mostly through unlicensed software obtained from illegal websites that are ranked highly in search results by means of implemented SEO poisoning tactics. Previously, this PPI platform was mostly leveraged to deliver stealer and banking malware, as well as ransomware.

The NetDooka attack chain relies on several components, already mentioned in the article. The first payload brings a loader that kills the infected system’s antivirus tools. At this point, the loader might also install a kernel driver to protect RAT’s operations in the upcoming steps. A successful operation culminates in a drop of a final payload, dubbed NetDookaRAT that leads to threat actors gaining full or partial control of the target.

As hacks evolve, we must adapt. To keep abreast of the hackers, proactive threat detection is paramount. In the face of the massive boom in the number of malware distribution occurrences, SOC Prime leverages the collaborative expertise of 23,000+ cybersecurity professionals offering timely and efficient solutions to enable security teams to detect threats easier and faster.

Was this article helpful?

Like and share it with your peers.
Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Related Posts