27 September 2019

Thousands of Windows PCs affected by rare Node.js-based malware

Thousands of Windows PCs affected by rare Node.js-based malware

Microsoft Defender ATP Research Team has spotted a new fileless malicious campaign that delivers its own LOLBins (living-off-the-land binaries) to infect Windows-based computers with a Node.js-based malware which will turn affected machines into proxies. Over the last several weeks the campaign dubbed Nodersok has impacted thousands of machines with most of targets located in the United States and Europe. The majority of targets are consumers, but nearly 3% of infections affected organizations in sectors such as education, professional services, healthcare, finance, and retail.

Unlike other fileless malware attacks that only use LOLBins present on the devices they compromise, the operators of the Nodersok campaign delivered two unusual, legitimate tools to infected hosts. One is Node.exe, the Windows implementation of the popular Node.js framework used by countless web applications, and the second is the Windows Packet Divert (WinDivert) network packet capture tool.

“The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar. We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry,” the researchers said.

To compromise computers, Nodersok uses multi-staged infection process, which starts with the victim browsing or clicking on a malicious ad containing an HTA (HTML Application) file. That HTA file contains Java Script code for downloading the second stage component. The second stage script launches a PowerShell command, which downloads and runs additional components such as a PowerShell module for disabling Windows Defender security solution and Windows Update, a shellcode for privileges elevation, the WinDivert and Node.exe tools, and a JavaScript module that turns the machine into proxy.

“Every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys). All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” the research team explained.

A more detailed technical analysis of the new threat is available in Microsoft blog post. Researchers from Cisco’s Talos have also published a report related to this malware, which they named Divergent.

Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Denial of service in MiniUPnP ngiflib
Medium Not Patched | 18 Nov, 2019
Information disclosure in iTerm2
Medium Patched | 18 Nov, 2019
Integer overflow in Oniguruma
High Patched | 18 Nov, 2019
Cross-site scripting in KairosDB
Low Not Patched | 18 Nov, 2019