Thousands of PCs Affected by Nodersok/Divergent Malware

malware keylogger

Fileless threat leverages widely used Node.js framework and WinDivert packet-capture utility to turn infected machines into proxies for malicious behavior.

New malware identified by Microsoft and Cisco Talos has affected thousands of PCs in the United States and Europe and turns systems into proxies for performing malicious activity, the companies said.

The fileless threat—called Nodersok by Microsoft and Divergent by Cisco Talos—has many of its own components but also takes advantage of existing tools to do its dirty work. The malware leverages the popular Node.js framework used by many Web applications and WinDivert, a network packet-capture and manipulation utility, to turn the systems into unwitting proxies.

While both companies released reports on the malware Wednesday in separate blog posts, each had a different opinion as to exactly what it does.

Microsoft researchers claim that once Nodersok turns machines into proxies, it uses them as “a relay to access other network entities (websites, C&C servers, compromised machines, etc.), which can allow them to perform stealthy malicious activities,” the company said in a blog post.

Cisco Talos researchers, on the other hand, said the proxies created by Divergent are used to conduct click fraud. Moreover, the malware has similar characteristics to those observed in other click-fraud malware, such as Kovter, the company said in a blog post.

The malware is believed still to be in active development, according to Cisco Talos.

Infection by Nodersok is more or less a two-stage attack that downloads multiple components to a user’s PC. Systems initially become affected when a user runs an HTA file as a browser download by clicking on it or by browsing on a malicious ad, according to Microsoft.

JavaScript code in the HTA file then downloads a second-stage component in the form of another JavaScript file or an XSL file containing JavaScript code. This component launches a PowerShell command hidden inside an environment variable and launches additional PowerShell instances, according to Microsoft.

The PowerShell commands download and execute encrypted components that, among other things, attempt to disable Windows Defender Antivirus and Windows Update, and launch a binary shellcode that attempts to elevate privilege on the infected machine. The malware’s final payload is a JavaScript module written in Node.js framework that can turn the machine into a proxy, Microsoft said.

While Windows Defender should be able to identify and block Nodersok, the malware is a bit slippery because it leverages legitimate infrastructure, according to Microsoft.

“The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar,” Microsoft said in the post.

Still, once it infects a system, Nodersok’s behavior gives it away to someone knowing where to look, which means security researchers should be able to detect it at some point.

To avoid infection altogether, Microsoft is advising people not to run HTA files found on their systems, especially ones they don’t remember downloading or the origin of which they can’t identify, the company said.

What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free Threatpost webinar, “Hackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.” Click here to register.

Suggested articles