NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service<\/title> <link href=\"https:\/\/fonts.googleapis.com\/css?family=Open+Sans:300,300i,400,400i,600\" rel=\"stylesheet\">\n<link href=\"\/\/customer.cludo.com\/css\/296\/1798\/cludo-search.min.css\" type=\"text\/css\" rel=\"stylesheet\"> <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/trendresearch\/clientlibs\/clientlib-trendresearch.min.css\" type=\"text\/css\"> <meta property=\"og:url\" content=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-ppi.html\"><br \/>\n<meta property=\"og:title\" content=\"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service\"><br \/>\n<meta property=\"og:description\" content=\"This report focuses on the components and infection chain \u2060of the NetDooka framework. Its scope ranges from the release of the first payload up until the release of the final RAT that is protected by a kernel driver.\"><br \/>\n<meta property=\"og:site_name\" content=\"Trend Micro\"><br \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-cover.png\"><br \/>\n<meta property=\"og:locale\" content=\"en_US\"> <meta name=\"twitter:card\" content=\"summary_large_image\"><br \/>\n<meta name=\"twitter:site\" content=\"@TrendMicro\"><br \/>\n<meta name=\"twitter:title\" content=\"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service\"><br \/>\n<meta name=\"twitter:description\" content=\"This report focuses on the components and infection chain \u2060of the NetDooka framework. Its scope ranges from the release of the first payload up until the release of the final RAT that is protected by a kernel driver.\"><br \/>\n<meta name=\"twitter:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-cover.png\"> <\/head> <body class=\"articlepage page basicpage context-business\" id=\"readabilityBody\" readability=\"51.721955477957\">  <a id=\"page-scroll\" title=\"VerticalPageScroll\" href=\"javascript:jumpScroll($(this).scrollTop());\"> <span class=\"icon-chevron-up\"><\/span> <\/a>  <\/p>\n<div class=\"root responsivegrid\">\n<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12 \">\n<div class=\"articleBodyNoHero aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"research-layout article container\" role=\"contentinfo\">\n<article class=\"research-layout--wrapper row\" data-article-pageid=\"2036285293\">\n<div class=\"col-xs-12 col-md-12 one-column\">\n<div class=\"col-xs-12 col-md-12\" readability=\"8.8038740920097\">\n<div class=\"article-details\" role=\"heading\" readability=\"37.17191283293\"> <span class=\"article-details__bar\" role=\"img\"><\/span> <\/p>\n<p class=\"article-details__display-tag\">Malware<\/p>\n<p class=\"article-details__description\">This report focuses on the components and infection chain \u2060of the NetDooka framework. Its scope ranges from the release of the first payload up until the release of the final RAT that is protected by a kernel driver.<\/p>\n<p class=\"article-details__author-by\">By: Aliakbar Zahravi, Leandro Froes <time class=\"article-details__date\">May 05, 2022<\/time> <span>Read time: <\/span><span class=\"eta\"><\/span> (<span class=\"words\"><\/span> words) <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<hr class=\"research-layout-divider\"> <main class=\"main--content col-xs-12 col-md-8 col-md-push-2\"> <\/p>\n<div class=\"richText\" readability=\"45.619160260201\">\n<div readability=\"36.693672383205\">\n<p>We recently encountered a fairly sophisticated malware framework that we named NetDooka after the names of some of its components. The framework is distributed via a pay-per-install (PPI) service and contains multiple parts, including a loader, a dropper, a protection driver, and a full-featured remote access trojan (RAT) that implements its own network communication protocol. During our analysis, we discovered that NetDooka was being spread via the PrivateLoader malware which, once installed, starts the whole infection chain.<\/p>\n<p>As previously described by <a href=\"https:\/\/intel471.com\/blog\/privateloader-malware\">Intel471<\/a>, the PrivateLoader malware is a downloader responsible for downloading and installing multiple malware into the infected system as part of the PPI service. Due to the way the PPI service works, the exact payloads that would be installed might differ depending on the malware version. Some of the known malware families that are reportedly being distributed via PPI services include SmokeLoader, RedLine, and <a href=\"https:\/\/medium.com\/walmartglobaltech\/privateloader-to-anubis-loader-55d066a2653e\">Anubis<\/a>.<\/p>\n<p>This report focuses on the components and infection chain \u2060of the NetDooka framework. Its scope ranges from the release of the first payload, which drops a loader that creates a new virtual desktop to execute an antivirus software uninstaller and interact with it by emulating the mouse and pointer position \u2014 a necessary step to complete the uninstallation process and prepare the environment for executing other components \u2014 up until the release of the final RAT that is protected by a kernel driver.<\/p>\n<p>However, while we describe all the different features we found, NetDooka\u2019s features might still vary depending on the malware version since it is still in its development phase.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-1-1.jpg\" alt=\"Figure 1. Infection chain of the attack\"><figcaption>Figure 1. Infection chain of the attack<\/figcaption><\/figure>\n<\/p><\/div>\n<div>\n<div class=\"richText\" readability=\"41\">\n<div readability=\"27\">\n<p>The infection starts when a user inadvertently downloads PrivateLoader, usually through pirated software downloads (as mentioned in the Intel471 report), followed by the installation of the first NetDooka malware, a dropper component that is responsible for decrypting and executing the loader component.<\/p>\n<p>The loader then performs certain checks to ensure that it is not running in a virtual environment, after which it downloads another malware from the remote server. It might also install a kernel driver for future use.<\/p>\n<p>The downloaded malware is another dropper component that is executed by the loader. This dropper is responsible for decrypting and executing the final payload, a full-featured RAT containing multiple capabilities such as starting a remote shell, grabbing browser data, taking screenshots, and gathering system information. It might also start the installed kernel driver component to protect the dropped payload.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-2-1.jpg\" alt=\"Figure 2. NetDookaLoader flow chart\"><figcaption>Figure 2. NetDookaLoader flow chart<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div class=\"responsive-table-wrap\" readability=\"12\">\n<p>Upon execution, the loader will deobfuscate strings, such as the command-and-control (C&C) server address, and check for the command-line arguments that were passed. The malware accepts multiple arguments that indicate what action should be taken.<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"100%\">\n<tbody readability=\"7.5\">\n<tr>\n<td>\n<p>Argument<\/p>\n<\/td>\n<td width=\"520\" valign=\"top\">\n<p>Function<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"103\" valign=\"top\">\n<p>001<\/p>\n<\/td>\n<td width=\"520\" valign=\"top\" readability=\"5\">\n<p>Uninstalls Avira programs<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"103\" valign=\"top\">\n<p>004<\/p>\n<\/td>\n<td width=\"520\" valign=\"top\" readability=\"5\">\n<p>Uninstalls Viper programs<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"103\" valign=\"top\">\n<p>006<\/p>\n<\/td>\n<td width=\"520\" valign=\"top\" readability=\"5\">\n<p>Uninstalls Total 360 programs<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"103\" valign=\"top\">\n<p>007<\/p>\n<\/td>\n<td width=\"520\" valign=\"top\">\n<p>Uninstalls ESET programs<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"103\" valign=\"top\">\n<p>008<\/p>\n<\/td>\n<td width=\"520\" valign=\"top\" readability=\"5\">\n<p>Uninstalls GData programs<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"103\" valign=\"top\">\n<p>embedded<\/p>\n<\/td>\n<td width=\"520\" valign=\"top\" readability=\"5\">\n<p>Downloads the dropper component and renames it to reloadbitex.exe<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"103\" valign=\"top\">\n<p>correct<\/p>\n<\/td>\n<td width=\"520\" valign=\"top\" readability=\"5\">\n<p>Executes the dropper component and blocks antivirus vendor domains<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"4.5\">\n<td width=\"103\" valign=\"top\">\n<p><No ARG><\/p>\n<\/td>\n<td width=\"520\" valign=\"top\" readability=\"6\">\n<p>Downloads the dropper component and executes itself using the \u201cembedded\u201d and \u201ccorrect\u201d arguments<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>Table 1. Command-line arguments and their functions<\/h5>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-3.png\" alt=\"Figure 3. NetDookaLoader argument\u2019s check\"><figcaption>Figure 3. NetDookaLoader argument\u2019s check<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>If no parameter is passed to the loader, it executes a function called \u201cDetectAV()\u201d that queries the registry to automatically identify the antivirus products available in order to uninstall them. The malware does this by creating a new virtual desktop using CreateDesktopA, which is used as a workspace for launching the proper binary uninstaller program. This is accomplished through the use of CreateProcessA with the \u201ccreate_no_window\u201d flag, as well as through the emulation of human interactions such as controlling the mouse to complete the uninstallation process. Each antivirus uninstaller function has its own removal technique based on uninstallation process. Figure 4 shows an example of the GData antivirus removal.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-4-1.png\" alt=\"Figure 4. Uninstalling an antivirus program\"><figcaption>Figure 4. Uninstalling an antivirus program<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>The loader then uses the bitsadmin.exe Windows utility to download the dropper component from its C&C server and save it as \u201cC:\\Program Files\\ReservHardwareUpdater\\rsvr_updldr.exe\u201d. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-5.png\" alt=\"Figure 5. NetDookaLoader downloading the next stage of the attack via bitsadmin.exe\"><figcaption>Figure 5. NetDookaLoader downloading the next stage of the attack via bitsadmin.exe<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-6.png\" alt=\"Figure 6. Self-execution with \u201cembedded\u201d argument\"><figcaption>Figure 6. Self-execution with \u201cembedded\u201d argument<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35.5\">\n<div readability=\"16\">\n<p>The \u201cembedded\u201d argument is responsible for downloading the dropper component and saving it as \u201c%ProgramFiles%\\ReservHardwareUpdater\\reloadbitex.exe\u201d.<\/p>\n<p>The loader component executes itself again using the \u201ccorrect\u201d argument. Once this is done, it executes the downloaded dropper, blocks antivirus vendor domains by modifying the hosts file and redirecting their domains to \u201c0.0.0.0\u201d address. Finally, it deletes itself using the following command:<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-code-1.PNG\" alt=\"netdooka-code-1\"> <\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-7.png\" alt=\"Figure 7. Blocking antivirus domains\"><figcaption>Figure 7. Blocking antivirus domains<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37\">\n<div readability=\"19\">\n<p>In some variants of the malware, the loader installs a driver to act as a kernel-mode protection for the final payload (RAT component). It accomplishes this by registering as a mini-filter driver and setting callback functions to protect the malware against file deletion and process termination.<\/p>\n<p>The driver binary is Base64-encoded within the loader and, once decoded, has its content written to the \u201cC:\\Program Files\\SolidTechnology\\protdrv.sys\u201d file. Although the loader creates a service to install the driver, it does not start it. Instead, the driver start task is performed by the dropper component.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-8-1.png\" alt=\"Figure 8. Driver installer function\"><figcaption>Figure 8. Driver installer function<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"39\">\n<div readability=\"23\">\n<p>We discovered two different dropper components involved in the NetDooka attack chain: One is installed by the PrivateLoader that drops the NetDooka loader, while the other one drops the final RAT payload.<\/p>\n<p>The dropper component is a small .NET binary responsible for decrypting and executing a payload it has embedded. The malware starts by reading its own file content and looking for a specific byte sequence (in the sample we analyzed, this was \u201c\\x11\\x42\\x91\\x50\\x7F\\xB4\\x6C\\xAA\\x75\\x5E\\x8D\u201d) to get the bytes next to it.<\/p>\n<p>The payload decryption is achieved by performing an XOR operation in the decrypted payload that uses a single-byte key and subtracts the index value from the final value for each decryption loop iteration. The key is resolved by creating a prime number list of a specific size and iterating through it. For each iteration, the SHA-256 hash of the current list element is generated and the first byte of the hash result is then added to a single-byte variable, with the final sum being the XOR key.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-9.png\" alt=\"Figure 9. The decryption routine used by NetDookaDropper\"><figcaption>Figure 9. The decryption routine used by NetDookaDropper<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>Once decrypted, the payload content is written to a file in the %Temp% directory and then executed via a new process. Note that both the location and the file name might be different depending on the malware version.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-10.png\" alt=\"Figure 10. The decrypted payload being executed\"><figcaption>Figure 10. The decrypted payload being executed<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"36.28901734104\">\n<div readability=\"17.895953757225\">\n<p>Although the malware has multiple versions exhibiting some differences in behavior such as the XOR key and byte sequence being searched, the dropper\u2019s goal is still the same for all NetDooka\u2019s versions we found: Execute an embedded payload within it. To automate the dropped payload extraction, we developed a Python script that can be downloaded <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka_dropper_decrypter.py\">here<\/a>.<\/p>\n<p>As mentioned in the loader analysis section, some versions of the dropper component are responsible for starting the driver component service. It\u2019s important to mention that the dropper version that contains the driver start step (performed before the final payload decryption and execution) is the one containing the final payload.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-11.png\" alt=\"Figure 11. The dropper starting the driver component\"><figcaption>Figure 11. The dropper starting the driver component<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.333333333333\">\n<div readability=\"14.285714285714\">\n<p>The driver component acts as a kernel-level protection for the RAT component. It does this by attempting to prevent the file deletion and process termination of the RAT component. The driver registers itself as a mini-filter driver to intercept I\/O requests to the file system and set process callback functions to protect the RAT process.<\/p>\n<p>During our analysis, we noticed that the driver based its process protection implementation in the Microsoft driver <a href=\"https:\/\/github.com\/microsoft\/Windows-driver-samples\/tree\/master\/general\/obcallback\">example<\/a> implementation and its file deletion protection in an open source project named \u201c<a href=\"https:\/\/github.com\/SweetIceLolly\/Prevent_File_Deletion\">Prevent_File_Deletion<\/a>.\u201d<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-12.png\" alt=\"Figure 12. General view of the driver features\"><figcaption>Figure 12. General view of the driver features<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"40.5\">\n<div readability=\"26\">\n<p>The driver registers as a mini-filter driver and starts it by using both the FltRegisterFilter and FltStartFiltering functions. File systems are typical targets for I\/O operations in order to access files. A file system filter is a mechanism that a driver can use to intercept calls destined to the file system. A file system mini-filter is a model created to replace the Windows legacy file system filter mechanism, possessing the advantage of being easier to write \u2014 making it the preferred method of developing file system-filtering drivers.<\/p>\n<p>When a mini-filter driver is registered, it can set callback functions to be executed before (PreOperation) and after (PostOperation) I\/O requests. For the file deletion protection, the malware registers a PreOperation callback function during the filter registration to intercept I\/O requests of specific types to the file system. In this case, the malware intercepts file deletion operations.<\/p>\n<p>Once a file deletion operation is requested, the callback function is called, and the driver checks if the destination file has the name \u201cougdwieue.exe\u201d (name of the final RAT payload). If so, it changes the permissions of the request to prevent the target file from being deleted.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-13.png\" alt=\"Figure 13. RAT file name being checked and access being denied\"><figcaption>Figure 13. RAT file name being checked and access being denied<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33.5\">\n<div readability=\"12\">\n<p>The process protection is achieved by setting a process notification callback routine via the PsSetCreateProcessNotifyRoutine function, which would be called every time a new process is created. When the callback is executed, the malware looks for the string \u201cougdwieue.exe\u201d in the process command line to determine whether or not the process is the expected target. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-14.png\" alt=\"Figure 14. The process command line being checked\"><figcaption>Figure 14. The process command line being checked<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"35\">\n<div readability=\"15\">\n<p>The driver also sets another callback routine via ObRegisterCallback to check for process operations being performed that involve a process handle creation or duplication.<\/p>\n<p>With these two callbacks in place when a process is created, the driver can check if the process being created is in fact the RAT process and the operation being performed is either a process handle creation or duplication. If so, the driver changes the access permission to avoid applications that try to obtain a handle to the target process and terminate it.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-15.png\" alt=\"Figure 15. Process creation callback routine.\"><figcaption>Figure 15. Process creation callback routine.<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-16.png\" alt=\"Figure 16. Access to the process handle being modified\"><figcaption>Figure 16. Access to the process handle being modified<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34.5\">\n<div readability=\"14\">\n<p>The final payload is a RAT that accepts commands from a remote server to execute a variety of functions such as executing shell commands, performing distributed denial-of-service (DDoS) attacks, downloading and executing files, logging keystrokes on the infected machine, and performing remote desktop operations. Figure 17 shows the list of its functions.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-17.png\" alt=\"Figure 17. NetDookaRAT functions\"><figcaption>Figure 17. NetDookaRAT functions<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32\">\n<div readability=\"9\">\n<p>Upon execution, the malware employs various system checks to detect and avoid analysis environments.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-18-1.png\" alt=\"Figure 18. Analysis environment evasion\"><figcaption>Figure 18. Analysis environment evasion<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div readability=\"13\">\n<p>The malware creates a mutex named \u201c3f0d73e2-4b8e-4539-90fd-812330bb39c8\u201d to mark its presence on the system. In case it finds the same mutex in the system, it exits.<\/p>\n<p>Before C&C communication, NetDooka generates a 16-byte random session and stores it in a file named \u201cconfig.cfg\u201d. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-19.png\" alt=\"Figure 19. Initializing and configuring the C&C server\"><figcaption>Figure 19. Initializing and configuring the C&C server<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-20.png\" alt=\"Figure 20. The session ID generator\"><figcaption>Figure 20. The session ID generator<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>It then initializes its network communication components and contacts its C&C server to register the victims and retrieve commands. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-21.png\" alt=\"Figure 21. C&C communication\"><figcaption>Figure 21. C&C communication<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"31.5\">\n<div readability=\"8\">\n<p>NetDookaRAT uses a custom protocol to communicate with the C&C server using the format shown in Figure 22.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-code-2.PNG\" alt=\"Figure 22. The packet structure used in C&C communications\"><figcaption>Figure 22. The packet structure used in C&C communications<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"34\">\n<div class=\"responsive-table-wrap\" readability=\"13\">\n<p>Each response splits into the header and data stream. The header stream contains the request type, the size and options of the data to be sent while the data stream contains the return value of the specific function. Table 2 shows a list of type values and their corresponding functions.<\/p>\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"100%\">\n<tbody readability=\"2\">\n<tr>\n<td>\n<p><b>Type in decimal<\/b><\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p><b>Type in hex<\/b><\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p><b>Function<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"160\" valign=\"top\">\n<p>400<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x190<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\" readability=\"5\">\n<p>Exfiltrate system information<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>1000<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x3E8<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>Send session ID<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>10<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x0A<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>Send message<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>8<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x08<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>Reverse shell<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>16<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x10<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>DDoS attack<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>19<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x13<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>Send file<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>5<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x05<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>Download file<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>20<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x14<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>Copy browser data<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>9<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x09<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>Copy browser data<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>18<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x12<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>Start HVNC<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>15<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x0F<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>Send log<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>14<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x0E<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>Microphone capture<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"160\" valign=\"top\">\n<p>17<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x11<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\" readability=\"5\">\n<p>Start virtual network computing (VNC)<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"160\" valign=\"top\">\n<p>13<\/p>\n<\/td>\n<td width=\"113\" valign=\"top\">\n<p>0x0D<\/p>\n<\/td>\n<td width=\"350\" valign=\"top\">\n<p>Capture webcam<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h5>Table 2. The type values and their corresponding functions<\/h5>\n<p>The code snippets in Figure 23 demonstrate how the malware constructs and sends the request shown in Table 2. <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-23.png\" alt=\"Figure 23. Packet creation for requests\"><figcaption>Figure 23. Packet creation for requests<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"32.5\">\n<div readability=\"10\">\n<p>The malware then starts to listen for incoming TCP connections to receive commands. It then parses the received commands to execute them on the infected machine. Figure 24 shows the commands supported by the malware while the code snippet in Figure 25 demonstrates how the malware performs these commands.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-24.png\" alt=\"Figure 24. RAT commands and capabilities\"><figcaption>Figure 24. RAT commands and capabilities<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"image\">\n<figure class=\"image-figure\"> <img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-25.png\" alt=\"Figure 25. Code snippet of the RAT commands\"><figcaption>Figure 25. Code snippet of the RAT commands<\/figcaption><\/figure>\n<\/p><\/div>\n<div class=\"richText\" readability=\"37.7625\">\n<div readability=\"20.86875\">\n<p>PPI malware services allow malware creators to easily deploy their payloads. The use of a malicious driver creates a large attack surface for attackers to exploit, while also allowing them to take advantage of approaches such as protecting processes and files, bypassing antivirus programs, and hiding the malware or its network communications from the system, among others. Furthermore, with the RAT payload properly installed, malicious actors can perform actions such as stealing several critical information from the infected systems, gaining remote control access to the system, and creating botnet networks. Finally, NetDooka\u2019s capabilities allow it to act as an entry point for other malware.<\/p>\n<p>A list of indicators in text format can be viewed <a href=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service.txt\">here.<\/a><\/p>\n<h2><span class=\"body-subhead-title\"><\/span><\/h2>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"richText\">\n<div class=\"responsive-table-wrap\">\n<table border=\"1\" cellspacing=\"0\" cellpadding=\"0\" width=\"100%\">\n<tbody readability=\"50\">\n<tr>\n<td>\n<p><b>SHA-256<\/b><\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p><b>Detection name<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"483\" valign=\"top\">\n<p><b>PrivateLoader<\/b><\/p>\n<\/td>\n<td width=\"183\" valign=\"top\"> <\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>4d94232ec587f991017ed134ea2635e85c883ca868b96e552f9b5ac5691cdaf5<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.Win32.STOP.EL<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"483\" valign=\"top\">\n<p><b>Driver<\/b><\/p>\n<\/td>\n<td width=\"183\" valign=\"top\"> <\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>81dbe7ff247d909dc3d6aef5b5894a153886955a9c9aaade6f0e9f47033dc2fb<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.Win64.PROTDRIVE.A<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"666\" colspan=\"2\" valign=\"top\">\n<p><b>93[.]115[.]21[.]45 IoCs<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"666\" colspan=\"2\" valign=\"top\">\n<p><b>Dropper<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>28ad0bc330c7005637c6241ef5f267981c7b31561dc7d5d5a56e24423b63e642<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>50ab75a7c8685f9a87b5b9eb7927ccb7c069f42fb7427566628969acdf42b345<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>85e439e13bcd714b966c6f4cea0cedf513944ca13523c7b0c4448fdebc240be2<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>c64a551e5b0f74efcce154e97e1246d342b13477c80ca84f99c78db5bfeb85ef<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>8fa89e4be15b11f42e887f1a1cad49e8c9c0c724ae56eb012ac5e529edc8b15c<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>531f6cb76127ead379d0315a7ef1a3fc61d8fff1582aa6e4f77cc73259b3e1f2<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>44babb2843da68977682a74675c8375da235c75618445292990380dbc2ac23af<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>64be1332d1bf602aaf709d30475c3d117f715d030f1c38dee4e7afa6fa0a8523<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>91791f8c459f32dc9bf6ec9f7ee157e322b252bc74b1142705dcc74fe8eced7e<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>a49769b8c1d28b5bb5498db87098ee9c67a94d79e10307b67fe6a870c228d402<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>43dcf8eea02b7286ba481ca84ec1b4d9299ba5db293177ff0a28231b36600a22<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>TrojanSpy.MSIL.DOTSPY.A<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"666\" colspan=\"2\" valign=\"top\">\n<p><b>Loader<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>d20576f0bd39f979759cde5fb08343c3f22ff929a71c3806e8dcf0c70e0f308b<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.DNRAT.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>76ed2ef41db9ec357168cd38daeff1079458af868a037251d3fec36de1b72086<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.DNRAT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>40ee0bd60bcb6f015ad19d1099b3749ca9958dd5c619a9483332e95caee42a06<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.DNRAT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>1cc21e3bbfc910ff2ceb8e63641582bdcca3e479029aa425c55aa346830c6c72<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.KILLAV.AF<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>2e37495379eb1a4dfae883d1e669e489877ed73f50ae26d43b5c91d6c7cb5792<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.KILLAV.AF<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>8ed34bfc102f8217dcd6e6bdae2b9d4ee0f3ab951d44255e1e300dc2a38b219e<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.KILLAV.AF<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>5c14a72a6b73b422cafc2596c13897937013fd335eca4299e63d01adee727d54<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.KILLAV.AF<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>bfc99c3f76d00c56149efcf75fd73497ec62b1ed53e12d428cf253525f8be8d0<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.KILLAV.AF<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>ed98187a0895818dfa6b583463b8a6d13ebc709d6dd219b18f789e40a596e40e<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.KILLAV.AF<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>94fb2969eae7cce75c44c667332dacace155369911b425c50476d90528651584<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.KILLAV.AF<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>07aec94afba94eb3b35ba5b2e74b37553c3c0fed4f6de1fbac61c20dae3f29d4<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.KILLAV.AG<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"666\" colspan=\"2\" valign=\"top\">\n<p><b>RAT<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>62946b8134065b0dab11faf906539fcfcbd2b6a89397e7fb8e187dd2d47ab232<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Backdoor.MSIL.DNRAT.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>73664c342b302e4879afeb7db4eeae5efc37942e877414a13902372d25c366c5<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Backdoor.MSIL.DNRAT.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>ab7d39e34ad51bc3138fb4d0f7dedc4668be1d4b54a45c385e661869267ef685<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Backdoor.MSIL.DNRAT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>c54a492d086930eb4d9cd0233a2f5255743b6dde22a042f2a2800f2c8fe82ce8<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Backdoor.MSIL.DNRAT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>f53844fb1239792dac2e9a89913ef0ca68b7ffe9f7a9a202e3e729dbf90f9f70<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Backdoor.MSIL.DNRAT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>55247d144549642feba5489761e9f33a74fcb5923abd87619310039742e19431<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Backdoor.MSIL.DNRAT.B<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>ed092406a12d68eac373b2ddb061153cb8abe38e168550f4f6106161f43dcafe<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Backdoor.MSIL.DNRAT.C<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>ba563dfaf572aa5b981043af3f164a09f16a2cf445498d52b299d18bb37ce904<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.DNRAT.C<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>796df2ad288455a4047a503b671d5970788b15328ce15b512c5e3403b0c39a61<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.DNRAT.C<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"666\" colspan=\"2\" valign=\"top\">\n<p><b>89[.]38[.]131[.]151 IoCs<\/b><\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"666\" colspan=\"2\" valign=\"top\">\n<p><b>Dropper<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>60bf7b23526f36710f4ef589273d92cc21d45a996c09af9a4be52368c3233af6<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"6\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>557f35cfdd1606d53d6a3ae8d9f86013b4953c5e1c6fabc2faa57d528c895694<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\" readability=\"5\">\n<p>TrojanSpy.MSIL.DOTCRYPT.A<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"666\" colspan=\"2\" valign=\"top\">\n<p><b>Loader<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>cdf3aaa9134dc1c5523902afed3ff029574f9c13bc7105c77df70d20c9312288<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.MSIL.VINDOR.A<\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>85d3b0b00759d7b2c7810c65cdae7fcfe46f3a9aec9892c11156d61c99c2d92e<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Trojan.Win32.VINDOR.A<\/p>\n<\/td>\n<\/tr>\n<tr>\n<td width=\"666\" colspan=\"2\" valign=\"top\">\n<p><b>RAT<\/b><\/p>\n<\/td>\n<\/tr>\n<tr readability=\"3\">\n<td width=\"483\" valign=\"top\" readability=\"5\">\n<p>5ec57873c7a4829f75472146d59eb8e44f926d9a0df8d4af51ca21c8cd80bace<\/p>\n<\/td>\n<td width=\"183\" valign=\"top\">\n<p>Backdoor.MSIL.DNRAT.A<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/div>\n<\/p><\/div>\n<div class=\"richText\" readability=\"33\">\n<div readability=\"11\">\n<h2><span class=\"body-subhead-title\">Domains and URLs<\/span><\/h2>\n<p>hxxp:\/\/212.193.30[.]21\/<\/p>\n<p>hxxp:\/\/93.115.21[.]45<\/p>\n<p>hxxp:\/\/89[.]38[.]131[.]155<\/p>\n<p>hxxp:\/\/data-file-data-18[.]com<\/p>\n<p>hxxp:\/\/file-coin-coin-10[.]com<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<section class=\"tag--list\">\n<p>Tags<\/p>\n<\/section>\n<p> <\/main> <\/article>\n<\/div>\n<\/div><\/div>\n<\/div>\n<p>   <\/p>\n<p> <span>sXpIBdPeKzI9PC2p0SWMpUSM2NSxWzPyXTMLlbXmYa0R20xk<\/span> <\/p>\n<p>   <\/body> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-ppi.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>This report focuses on the components and infection chain \u2060of the NetDooka framework. Its scope ranges from the release of the first payload up until the release of the final RAT that is protected by a kernel driver. Read More HERE…<\/p>\n","protected":false},"author":2,"featured_media":46493,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9513,9509],"class_list":["post-46492","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-malware","tag-trend-micro-research-research"],"yoast_head":"\n<title>NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2022-05-05T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-cover.png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"15 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service\",\"datePublished\":\"2022-05-05T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/\"},\"wordCount\":2990,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service.jpg\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Malware\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/\",\"name\":\"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service.jpg\",\"datePublished\":\"2022-05-05T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2022\\\/05\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service.jpg\",\"width\":1500,\"height\":926},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n","yoast_head_json":{"title":"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/","og_locale":"en_US","og_type":"article","og_title":"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2022-05-05T00:00:00+00:00","og_image":[{"url":"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/22\/e\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/netdooka-cover.png","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"15 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service","datePublished":"2022-05-05T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/"},"wordCount":2990,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service.jpg","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Malware","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/","url":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/","name":"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service.jpg","datePublished":"2022-05-05T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2022\/05\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service.jpg","width":1500,"height":926},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46492","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=46492"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/46492\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/46493"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=46492"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=46492"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=46492"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":46492,"date":"2022-05-05T00:00:00","date_gmt":"2022-05-05T00:00:00","guid":{"rendered":"urn:uuid:c2f65102-6565-e4ef-592f-1d08a034fded"},"modified":"2022-05-05T00:00:00","modified_gmt":"2022-05-05T00:00:00","slug":"netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/netdooka-framework-distributed-via-privateloader-malware-as-part-of-pay-per-install-service\/","title":{"rendered":"NetDooka Framework Distributed via PrivateLoader Malware as Part of Pay-Per-Install Service"},"content":{"rendered":"