NetDooka RAT

A sophisticated, multi-component malware framework tracked as NetDooka has been discovered by cybersecurity experts. The framework consists of a dedicated loader, dropper, protection driver and a full-fledged RAT (Remote Access Trojan). To initiate the infection, the threat actors relied on the PrivateLoader pay-per-install (PPI) malware distribution service. The attackers received full access to the successfully compromised devices. Details about the entire framework and its components were released by security researchers.

The final payload in the infection, is the NetDooka RAT, a threat that albeit still being under active development is already capable of performing a wide range of intrusive and harmful actions. It can execute shell commands, launch DDoS (Distributed Denial-of-Service) attacks, fetch additional files to the breached device, execute files, log keystrokes and facilitate remote desktop operations.

Before starting its primary functions, the RAT performs several checks for signs of virtualization and analysis environments. It also looks if a specific mutex is present in the system. Finding the mutex would signal the malware that a NetDooka RAT variant has already infected the system and a second one will terminate its execution. The threat receives commands from a Command-and-Control (C2, C&C) server via TCP. Communication with the server is carried out via a custom protocol where the exchanged packets follow a certain format.

Cybersecurity researchers warn that the current capabilities of the NetDooka RAT could undergo significant changes in later versions. At the moment, the threat is mostly used to establish short-term presence and persistence on the breached devices to perform data-collecting and espionage activities. However, the fact that the malware frame incorporates a loader component, means that the threat actors could deliver additional payloads to pursue other threatening goals as well.