A new malware campaign responsible for infecting thousands of Windows PCs worldwide has been discovered by Microsoft.
The Microsoft Defender ATP Research Team found the malware, dubbed Nodersok, and explained in a blog post that it is distributed through malicious adverts which force a Windows system to download HTZ files that are used in HTML apps.
According to Microsoft, the malware is fileless and utilizes living-off-the-land binaries (LOLBins) to tap into exiting tools and functionalities in a Windows System. Nodersok then downloads legitimate modules such as Windivert.dll/sys and Node.exe from the Node.JS framework to carry out its work. However, malicious files and executables are never written to an infected machine’s disk.
After a system has been fully infected, Nodersok can then turn it into a zombie-like proxy machine used to launch other cyberattacks and even create a relay server that can give hackers access to command and control servers as well as other compromised devices. This helps hackers hide their activity from security researchers looking for suspicious behavior.
In addition to Microsoft, Cisco’s security division Talos also discovered the malware and named it Divergent. Security researchers at the company found that the infected machines were being used to commit click fraud on targeted corporate networks.
In its blog post, Microsoft researchers explained how they discovered the Nodersok malware campaign, saying:
“The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar. We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry.”
For those concerned about their systems being infected by Nodersok, Microsoft has updated its free antivirus software Microsoft Defender to detect the malware.
Via The Inquirer