Microsoft Warns of a New Rare Fileless Malware Hijacking Windows Computers

More like this

Watch out Windows users!

There’s a new strain of malware making rounds on the Internet that has already infected thousands of computers worldwide and most likely, your antivirus program would not be able to detect it.

Why? That’s because, first, it’s an advanced fileless malware and second, it leverages only legitimate built-in system utilities and third-party tools to extend its functionality and compromise computers, rather than using any malicious piece of code.

The technique of bringing its own legitimate tools is effective and has rarely been spotted in the wild, helping attackers to blend in their malicious activities with regular network activity or system administration tasks while leaving fewer footprints.

Independently discovered by cybersecurity researchers at Microsoft and Cisco Talos, the malware — dubbed “Nodersok” and “Divergent” — is primarily being distributed via malicious online advertisements and infecting users using a drive-by download attack.

First spotted in mid-July this year, the malware has been designed to turn infected Windows computers into proxies, which according to Microsoft, can then be used by attackers as a relay to hide malicious traffic; while Cisco Talos believes the proxies are used for click-fraud to generate revenue for attackers.

Multi-Stage Infection Process Involves Legitimate Tools

The infection begins when malicious ads drop HTML application (HTA) file on users’ computers, which, when clicked, executes a series of JavaScript payloads and PowerShell scripts that eventually download and install the Nodersok malware.

“All of the relevant functionalities reside in scripts and shellcodes that area unitnearly alwayscoming back in encrypted, area unit then decrypted, and run whereassolely in memory. No malicious workable is ever written to the disk,” Microsoft explains.


As illustrated within the diagram, the JavaScript code connects to legitimate Cloud services and project domains to transfer and run second-stage scripts and extra encrypted parts, including:

  • PowerShell Scripts — commit to disable Windows Defender antivirus and Windows update.
  • Binary Shellcode — tries to step up privileges mistreatment auto-elevated COM interface.
  • Node.exe — Windows implementation of the favored Node.js framework, that is sure and contains a valid digital signature, executes malicious JavaScript to controlinside the context of a suremethod.
  • WinDivert (Windows Packet Divert) — a legitimate, powerful network packet capture and manipulation utility that malware uses to filter and modify bound outgoing packets.


At last, the malware drops the ultimate JavaScript payload written for the Node.js framework that converts the compromised system into a proxy.


“This concludes the infection, at the top of that the network packet filter is active, and also the machine is functioning as a possible proxy zombie,”

Microsoft explains.


“When a machine turns into a proxy, it isutilized by attackers as a relay to access different network entities (websites, C&C servers, compromised machines, etc.), which mightenable them to perform sneaky malicious activities.”

According to the experts at Microsoft, the Node.js-based proxy engine currently has two primary purposes—first, it connects the infected system back to a remote, attacker-controlled command-and-control server, and second, it receives HTTP requests to proxy back to it.

On the other hand, experts at Cisco Talos concludes that the attackers are using this proxy component to command infected systems to navigate to arbitrary web pages for monetization and click fraud purposes.

Nodersok Infected Thousands of Windows Users

According to Microsoft, the Nodersok malware has already infected thousands of machines within the past many weeks, with most targets settledwithin theus and Europe.


While the malware primarily focuses on targeting Windows home users, researchers have seen roughly three-dimensional of attacks targeting organization from trade sectors, as well as education, healthcare, finance, retail, and business and skilled services.


Since the malware campaign employs advanced fileless techniques and depends on elusive network infrastructure by creating use of legit tools, the attack campaign flew below the radio detection and ranging, creating it more durable for ancient signature-based antivirus programs to notice it.


“If we have a tendency to exclude all the clean and legit files leveraged by the attack, all that continues to bearea unit the initial HTA file, the ultimate Node.js-based payload, and a bunch of encrypted files. ancient file-based signatures area unit inadequate to counter subtle threats like this,” Microsoft says.


However, the corporate says that the malware’s “behavior madean understandable footprint that stands out clearly for anyone WHOis aware ofwhereverto appear.”


In July this year, Microsoft additionally discovered and according another fileless malware campaign, dubbed Astaroth, that was designed to steal users’ sensitive data, while not dropping any possible file on the disk or putting in any package on the victim’s machine.


Microsoft aforementioned its Windows Defender adenosine triphosphate next-generation protection detects this fileless malware attacks at every infection stage by recognizingabnormal and malicious behaviors, like the execution of scripts and tools.