here’s a new strain of
malware making rounds on the Internet that has already infected thousands of
computers worldwide and most likely, your antivirus program would not be able
to detect it.
Why? That’s because, first, it’s an advanced fileless malware and second, it
leverages only legitimate built-in system utilities and third-party tools to
extend its functionality and compromise computers, rather than using any
malicious piece of code.
The technique of bringing its own legitimate tools is
effective and has rarely been spotted in the wild, helping attackers to blend
in their malicious activities with regular network activity or system
administration tasks while leaving fewer footprints.
Independently discovered by cybersecurity researchers at
Microsoft and Cisco Talos, the malware — dubbed “Nodersok” and “Divergent” — is
primarily being distributed via malicious online advertisements and infecting
users using a drive-by download attack.
First spotted in
mid-July this year, the malware has been designed to turn infected Windows
computers into proxies, which according to Microsoft, can then be used by attackers
as a relay to hide malicious traffic; while Cisco Talos believes the proxies
are used for click-fraud to generate revenue for attackers.
Multi-Stage Infection Process Involves Legitimate Tools
The infection begins when
malicious ads drop HTML application (HTA) file on
users’ computers, which, when clicked, executes a series of JavaScript payloads
and PowerShell scripts that eventually download and install the Nodersok
malware.
“All of the relevant functionalities reside
in scripts and shellcodes that are almost always coming in encrypted, are then
decrypted, and run while only in memory. No malicious executable is ever
written to the disk,” Microsoft explains.
As illustrated in the diagram, the JavaScript
code connects to legitimate Cloud services and project domains to download and
run second-stage scripts and additional encrypted components, including:
- PowerShell Scripts — attempt to disable Windows Defender antivirus and Windows update.
- Binary Shellcode — attempts to escalate privileges using auto-elevated COM interface.
- Node.exe — Windows implementation of the popular Node.js framework, which is trusted and has a valid digital signature, executes malicious JavaScript to operate within the context of a trusted process.
- WinDivert (Windows Packet Divert) — a legitimate, powerful network packet capture and manipulation utility that malware uses to filter and modify certain outgoing packets.
At last, the malware drops the final JavaScript
payload written for the Node.js framework that converts the compromised system
into a proxy.
“This concludes the infection, at the end of which the network packet filter is active, and the machine is working as a potential proxy zombie,” Microsoft explains.
“When a machine turns into a proxy, it can be used by attackers as a relay to access other network entities (websites, C&C servers, compromised machines, etc.), which can allow them to perform stealthy malicious activities.”
On the other hand,
experts at Cisco Talos concludes that the attackers are using this proxy
component to command infected systems to navigate to arbitrary web pages for
monetization and click fraud purposes.
Nodersok Infected Thousands of Windows Users
According to Microsoft, the Nodersok malware has already
infected thousands of machines in the past several weeks, with most targets
located in the United States and Europe.
While the malware primarily focuses on targeting Windows home
users, researchers have seen roughly 3% of attacks targeting organization from
industry sectors, including education, healthcare, finance, retail, and
business and professional services.
Since the malware campaign
employs advanced fileless techniques and relies on elusive network
infrastructure by making use of legit tools, the attack campaign flew under the
radar, making it harder for traditional signature-based antivirus programs to
detect it.
“If we exclude all the clean and legitimate files leveraged by the attack, all that remains are the initial HTA file, the final Node.js-based payload, and a bunch of encrypted files. Traditional file-based signatures are inadequate to counter sophisticated threats like this,” Microsoft says.
However, the company says that the malware’s
“behavior produced a visible footprint that stands out clearly for anyone
who knows where to look.”
In July this year, Microsoft also discovered and
reported another fileless malware campaign, dubbed Astaroth, that was
designed to steal users’ sensitive information, without dropping any executable
file on the disk or installing any software on the victim’s machine.
Microsoft said its Windows Defender ATP
next-generation protection detects this fileless malware attacks at each
infection stage by spotting anomalous and malicious behaviors, such as the
execution of scripts and tools.