Thousands of Windows-based computers around the world over the past few weeks have been infected with a new type of malware. A new malware called Nodersok (in a Microsoft report) and Divergent (in a Cisco Talos report) was first detected this summer.
The malware downloads and installs a copy of the Node.js infrastructure to convert infected systems to proxies and conduct fraudulent operations.“The observed malware campaigns associated with Divergent feature the use of persistence techniques most commonly associated with “fileless” malware, leaving behind few artifacts for researchers to look at. This malware can be leveraged by an attacker to target corporate networks and appears to be primarily designed to conduct click-fraud”, — report Cisco Talos researchers.
The program was distributed using malicious advertising that forcedly downloaded HTA (HTML Application) files to users’ computers. The launch of the HTA files began the multi-step infection process using Excel, JavaScript and PowerShell scripts, which ultimately downloaded and installed Nodersok malware.
The malware itself has several components, including the PowerShell module, which attempts to disable Windows Defender and Windows Update, as well as a component for raising malware privileges to the SYSTEM level. However, there are also two components that are legitimate applications, namely: WinDivert and Node.js. The first is an application for capturing and interacting with network packets, and the second is a well-known tool for launching JavaScript on web servers.
Read also: Users are afraid to talk about the “STOP” — one of the most active ransomwares of this year
Legitimate applications are used to run the SOCKS proxy server on infected hosts. Researchers at Microsoft say the malware turns infected hosts into proxies to transmit malicious traffic. According to experts from Cisco Talos, on the other hand, proxies are used for fraudulent transactions.
“The malware loader described is currently under active development. Attackers are attempting to monetize these infections through the use of click fraud. The threat landscape is constantly evolving as attackers test new techniques and methodologies to maximize their revenue generation capabilities. Organizations should be aware of these changes and ensure that their security programs are able to remain effective against these changing tactics, techniques, and procedures”, — warn Cisco Talos researchers.
One way or another, Nodersok’s creators can deploy other modules at any time to perform additional tasks, or even launch ransomware or banking Trojans.