News

Nodersok’s new malware (aka Divergent) infected thousands of Windows-based computers

Thousands of Windows-based computers around the world over the past few weeks have been infected with a new type of malware. A new malware called Nodersok (in a Microsoft report) and Divergent (in a Cisco Talos report) was first detected this summer.

The malware downloads and installs a copy of the Node.js infrastructure to convert infected systems to proxies and conduct fraudulent operations.

“The observed malware campaigns associated with Divergent feature the use of persistence techniques most commonly associated with “fileless” malware, leaving behind few artifacts for researchers to look at. This malware can be leveraged by an attacker to target corporate networks and appears to be primarily designed to conduct click-fraud”, — report Cisco Talos researchers.

The program was distributed using malicious advertising that forcedly downloaded HTA (HTML Application) files to users’ computers. The launch of the HTA files began the multi-step infection process using Excel, JavaScript and PowerShell scripts, which ultimately downloaded and installed Nodersok malware.

The malware itself has several components, including the PowerShell module, which attempts to disable Windows Defender and Windows Update, as well as a component for raising malware privileges to the SYSTEM level. However, there are also two components that are legitimate applications, namely: WinDivert and Node.js. The first is an application for capturing and interacting with network packets, and the second is a well-known tool for launching JavaScript on web servers.

Read also: Users are afraid to talk about the “STOP” — one of the most active ransomwares of this year

Legitimate applications are used to run the SOCKS proxy server on infected hosts. Researchers at Microsoft say the malware turns infected hosts into proxies to transmit malicious traffic. According to experts from Cisco Talos, on the other hand, proxies are used for fraudulent transactions.

“The malware loader described is currently under active development. Attackers are attempting to monetize these infections through the use of click fraud. The threat landscape is constantly evolving as attackers test new techniques and methodologies to maximize their revenue generation capabilities. Organizations should be aware of these changes and ensure that their security programs are able to remain effective against these changing tactics, techniques, and procedures”, — warn Cisco Talos researchers.

One way or another, Nodersok’s creators can deploy other modules at any time to perform additional tasks, or even launch ransomware or banking Trojans.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Pbmsoultions.com Pop-up Ads

About Pbmsoultions.com Pbmsoultions.com pop-ups can not launch out of the blue. If you have actually…

2 days ago

Remove Prizestash.com Pop-up Ads

About Prizestash.com Prizestash.com pop-ups can not expose out of the blue. If you have actually…

2 days ago

Remove Verifiedbreaking.com Pop-up Ads

About Verifiedbreaking.com Verifiedbreaking.com pop-ups can not launch out of nowhere. If you have actually clicked…

2 days ago

Remove Themoneyminutes.com Pop-up Ads

About Themoneyminutes.com Themoneyminutes.com pop-ups can not launch out of the blue. If you have actually…

2 days ago

Remove News-xcidizi.com Pop-up Ads

About News-xcidizi.com News-xcidizi.com pop-ups can not introduce out of nowhere. If you have clicked some…

2 days ago

Remove Everytraffic-flow.com Pop-up Ads

About Everytraffic-flow.com Everytraffic-flow.com pop-ups can not launch out of nowhere. If you have actually clicked…

2 days ago