Thousands of Windows-based computers around the world over the past few weeks have been infected with a new type of malware. A new malware called Nodersok (in a Microsoft report) and Divergent (in a Cisco Talos report) was first detected this summer.The malware downloads and installs a copy of the Node.js infrastructure to convert infected systems to proxies and conduct fraudulent operations.
“The observed malware campaigns associated with Divergent feature the use of persistence techniques most commonly associated with “fileless” malware, leaving behind few artifacts for researchers to look at. This malware can be leveraged by an attacker to target corporate networks and appears to be primarily designed to conduct click-fraud”, — report Cisco Talos researchers.
Legitimate applications are used to run the SOCKS proxy server on infected hosts. Researchers at Microsoft say the malware turns infected hosts into proxies to transmit malicious traffic. According to experts from Cisco Talos, on the other hand, proxies are used for fraudulent transactions.
“The malware loader described is currently under active development. Attackers are attempting to monetize these infections through the use of click fraud. The threat landscape is constantly evolving as attackers test new techniques and methodologies to maximize their revenue generation capabilities. Organizations should be aware of these changes and ensure that their security programs are able to remain effective against these changing tactics, techniques, and procedures”, — warn Cisco Talos researchers.
One way or another, Nodersok’s creators can deploy other modules at any time to perform additional tasks, or even launch ransomware or banking Trojans.