New malware dubbed Nodersok discovered by researchers

• A new malware dubbed Nodersok that abuses legitimate tools has been observed.
• Consumers, primarily in Europe and the United States have been the victim of the Nodersok campaign spanning across the last few weeks.

The big picture

The attack relies on an elusive network infrastructure and makes use of advanced fileless techniques.

• Nodersok has been observed to abuse legitimate tools that are already present in the machines.
• ‘Node.exe’, the Windows implementation of the Node.js framework and ‘WinDivert’, a network capture and manipulation utility are the legitimate tools involved in this campaign.
• The malware contains a PowerShell module that attempts to disable Windows Update and Windows Defender.

“Like the Astaroth campaign, every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys). All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory,” say the researchers from Microsoft.

The primary victims of this campaign have been noted to be consumers, but around 3% of the attacks have been aimed at various organizations.

Analyzing the Nodersok campaign

Infection by the Nodersok is a multi-stage process that downloads multiple components to the infected system.

• The attack is initiated when the user downloads and runs a specific HTML application (HTA).
• The HTA file reaches out to randomly named domain to download JavaScript code. These domains have been observed to be short-lived.
• Various instances of PowerShell are launched to install various modules in the infected system.

Worth noting

The malware has also been analyzed by researchers at Cisco, who’re calling it ‘Divergent’.

While the Microsoft report says that the infected machines are turned into proxies for malicious activities, the Cisco report says that attackers use the proxies for click-fraud.