Microsoft Defender ATP Research Team has spotted a new fileless malicious campaign that delivers its own LOLBins (living-off-the-land binaries) to infect Windows-based computers with a Node.js-based malware which will turn affected machines into proxies. Over the last several weeks the campaign dubbed Nodersok has impacted thousands of machines with most of targets located in the United States and Europe. The majority of targets are consumers, but nearly 3% of infections affected organizations in sectors such as education, professional services, healthcare, finance, and retail.

Unlike other fileless malware attacks that only use LOLBins present on the devices they compromise, the operators of the Nodersok campaign delivered two unusual, legitimate tools to infected hosts. One is Node.exe, the Windows implementation of the popular Node.js framework used by countless web applications, and the second is the Windows Packet Divert (WinDivert) network packet capture tool.

“The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar. We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry,” the researchers said.

To compromise computers, Nodersok uses multi-staged infection process, which starts with the victim browsing or clicking on a malicious ad containing an HTA (HTML Application) file. That HTA file contains Java Script code for downloading the second stage component. The second stage script launches a PowerShell command, which downloads and runs additional components such as a PowerShell module for disabling Windows Defender security solution and Windows Update, a shellcode for privileges elevation, the WinDivert and Node.exe tools, and a JavaScript module that turns the machine into proxy.

“Every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys). All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” the research team explained.

A more detailed technical analysis of the new threat is available in Microsoft blog post. Researchers from Cisco’s Talos have also published a report related to this malware, which they named Divergent.