Researchers from Microsoft and Cisco Talos have discovered a new form of Malware being spread as a campaign, dubbed Nodersok by Microsoft and named Divergent by Cisco Talos. Both companies’ researchers agree that this Malware is virtually impossible to detect (even by Windows Defender), as it uses only legitimate built-in system utilities and third-party tools to extend its functionality and compromise computers. Rather than use any malicious piece of code, this technique of bringing its legitimate tools is active and has rarely been spotted in the wild.
This malware is mainly being distributed via malicious online advertisements (malvertisements) and infecting users by using a drive-by download attack.
By using legitimate Windows tools, Node.js framework, and WinDivert, it installs a file-less Malware that appears to have the goal of either turning victims’ systems into proxies or perpetrates click fraud.
The way Windows users can get infected is while browsing online; it could be by clicking on a malicious HTA file or also when a Malvertisement is served on a website.
Through PowerShell Scripts, the malware tries to disable Windows Defender and Windows Update, while using binary shellcode tries to escalate privileges to run safely with system permissions. It takes advantage of the implementation of the Node.js Framework, which trusted by many systems and has a trusted certificate. Thanks to those features, the malware can run in a trusted environment as if it were a safe process, then with WinDivert, it can capture network packets to filter and modify specific packets that leave the device.
Both Microsoft and Cisco, disagree on the real purpose and goals of the Malware. Microsoft researchers believe that its purpose is to turn infected machines into zombie proxies, while Cisco thinks that the goal is to commit click fraud.
Unfortunately, this kind of Malware is though evade detection for the top antivirus products on the market. As you might have read in our previous post, detecting Tactics, Techniques and Procedures (TTPs) is the current best way to detect malware, as opposed to just file hashes and / or IP addresses, CyberEasy was built with this consideration in mind.
Because it is challenging to detect Nodersok, it is advisable to avoid running HTA files, especially those which have been received by email or passed through storage devices, try to limit visiting untrusted websites and use an ad blocker where available.
TTPs: Tactics, techniques and procedures