Written by Anthony Carballo
on October 01, 2019


Researchers from Microsoft and Cisco Talos have discovered a new form of Malware being spread as a campaign, dubbed Nodersok by Microsoft and named Divergent by Cisco Talos. Both companies’ researchers agree that this Malware is virtually impossible to detect (even by Windows Defender), as it uses only legitimate built-in system utilities and third-party tools to extend its functionality and compromise computers. Rather than use any malicious piece of code, this technique of bringing its legitimate tools is active and has rarely been spotted in the wild.

This malware is mainly being distributed via malicious online advertisements (malvertisements) and infecting users by using a drive-by download attack.



By using legitimate Windows tools, Node.js framework, and WinDivert, it installs a file-less Malware that appears to have the goal of either turning victims’ systems into proxies or perpetrates click fraud.

The way Windows users can get infected is while browsing online; it could be by clicking on a malicious HTA file or also when a Malvertisement is served on a website.

The infection process starts when a malicious ad downloads an HTML application (HTA) to the computer, once it is clicked on, it runs a series of JavaScript and also Windows PowerShell malicious scripts, to download and install a more invasive Malware.

Through PowerShell Scripts, the malware tries to disable Windows Defender and Windows Update, while using binary shellcode tries to escalate privileges to run safely with system permissions. It takes advantage of the implementation of the Node.js Framework, which trusted by many systems and has a trusted certificate. Thanks to those features, the malware can run in a trusted environment as if it were a safe process, then with WinDivert, it can capture network packets to filter and modify specific packets that leave the device.



Both Microsoft and Cisco, disagree on the real purpose and goals of the Malware. Microsoft researchers believe that its purpose is to turn infected machines into zombie proxies, while Cisco thinks that the goal is to commit click fraud.

Unfortunately, this kind of Malware is though evade detection for the top antivirus products on the market. As you might have read in our previous post, detecting Tactics, Techniques and Procedures (TTPs) is the current best way to detect malware, as opposed to just file hashes and / or IP addresses, CyberEasy was built with this consideration in mind.



Because it is challenging to detect Nodersok, it is advisable to avoid running HTA files, especially those which have been received by email or passed through storage devices, try to limit visiting untrusted websites and use an ad blocker where available.

TTPs: Tactics, techniques and procedures

Let Us Know What You Thought about this Post.

Put your Comment Below.

You may also like:

Vulnerability Threat report

CryptoAPI Spoofing Vulnerability, Windows flaw discovered by the NSA

Microsoft released patches addressing 49 vulnerabilities as part of their monthly Patch Tuesday announcement. Among the ...

Vulnerability Threat report

Linux bug – Adversaries can hijack your VPN connection

Security testers from the University of New Mexico discovered a vulnerability, tracked as CVE-2019-14899, that can be ex...


Dexphot - Why Your Antivirus Isn't Enough.

Security researchers at Microsoft have been tracking a new strain of cryptocurrency miner, they named it Dexphot, based ...