Written by Anthony Carballo
on October 01, 2019


Researchers from Microsoft and Cisco Talos have discovered a new form of Malware being spread as a campaign, dubbed Nodersok by Microsoft and named Divergent by Cisco Talos. Both companies’ researchers agree that this Malware is virtually impossible to detect (even by Windows Defender), as it uses only legitimate built-in system utilities and third-party tools to extend its functionality and compromise computers. Rather than use any malicious piece of code, this technique of bringing its legitimate tools is active and has rarely been spotted in the wild.

This malware is mainly being distributed via malicious online advertisements (malvertisements) and infecting users by using a drive-by download attack.



By using legitimate Windows tools, Node.js framework, and WinDivert, it installs a file-less Malware that appears to have the goal of either turning victims’ systems into proxies or perpetrates click fraud.

The way Windows users can get infected is while browsing online; it could be by clicking on a malicious HTA file or also when a Malvertisement is served on a website.

The infection process starts when a malicious ad downloads an HTML application (HTA) to the computer, once it is clicked on, it runs a series of JavaScript and also Windows PowerShell malicious scripts, to download and install a more invasive Malware.

Through PowerShell Scripts, the malware tries to disable Windows Defender and Windows Update, while using binary shellcode tries to escalate privileges to run safely with system permissions. It takes advantage of the implementation of the Node.js Framework, which trusted by many systems and has a trusted certificate. Thanks to those features, the malware can run in a trusted environment as if it were a safe process, then with WinDivert, it can capture network packets to filter and modify specific packets that leave the device.



Both Microsoft and Cisco, disagree on the real purpose and goals of the Malware. Microsoft researchers believe that its purpose is to turn infected machines into zombie proxies, while Cisco thinks that the goal is to commit click fraud.

Unfortunately, this kind of Malware is though evade detection for the top antivirus products on the market. As you might have read in our previous post, detecting Tactics, Techniques and Procedures (TTPs) is the current best way to detect malware, as opposed to just file hashes and / or IP addresses, CyberEasy was built with this consideration in mind.



Because it is challenging to detect Nodersok, it is advisable to avoid running HTA files, especially those which have been received by email or passed through storage devices, try to limit visiting untrusted websites and use an ad blocker where available.

TTPs: Tactics, techniques and procedures

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Cybersecurity Awareness Vulnerability Threat Hunting PowerShell

La necesidad de registrar eventos de PowerShell y un análisis adicional.

Amedida que continuamos desarrollando CyberEasy, nuestro equipo de ingeniería agregó muchas características para habilit...

Cybersecurity Awareness Vulnerability Threat Hunting PowerShell

The need for PowerShell logging and further analysis.

As we continue to develop CyberEasy, our engineering team added a lot of features for enabling, collecting and analyzing...

Phishing Vulnerability

COVID-19 y estafas

COVID-19 es uno de los temas más importantes en todo el mundo en este momento, y los ciberdelincuentes se están aprovech...