Show vulnerabilities with patch / with exploit
27 September 2019

Thousands of Windows PCs affected by rare Node.js-based malware


Thousands of Windows PCs affected by rare Node.js-based malware

Microsoft Defender ATP Research Team has spotted a new fileless malicious campaign that delivers its own LOLBins (living-off-the-land binaries) to infect Windows-based computers with a Node.js-based malware which will turn affected machines into proxies. Over the last several weeks the campaign dubbed Nodersok has impacted thousands of machines with most of targets located in the United States and Europe. The majority of targets are consumers, but nearly 3% of infections affected organizations in sectors such as education, professional services, healthcare, finance, and retail.

Unlike other fileless malware attacks that only use LOLBins present on the devices they compromise, the operators of the Nodersok campaign delivered two unusual, legitimate tools to infected hosts. One is Node.exe, the Windows implementation of the popular Node.js framework used by countless web applications, and the second is the Windows Packet Divert (WinDivert) network packet capture tool.

“The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar. We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry,” the researchers said.

To compromise computers, Nodersok uses multi-staged infection process, which starts with the victim browsing or clicking on a malicious ad containing an HTA (HTML Application) file. That HTA file contains Java Script code for downloading the second stage component. The second stage script launches a PowerShell command, which downloads and runs additional components such as a PowerShell module for disabling Windows Defender security solution and Windows Update, a shellcode for privileges elevation, the WinDivert and Node.exe tools, and a JavaScript module that turns the machine into proxy.

“Every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys). All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” the research team explained.

A more detailed technical analysis of the new threat is available in Microsoft blog post. Researchers from Cisco’s Talos have also published a report related to this malware, which they named Divergent.

Back to the list

Latest Posts

Weekly security roundup: July 6, 2020

Weekly security roundup: July 6, 2020

A short overview of last week's top stories in the world of cyber security.
6 July 2020
North Korean hackers pivot from cryptocurrency theft and ransomware campaigns to online skimming

North Korean hackers pivot from cryptocurrency theft and ransomware campaigns to online skimming

Hidden Cobra has been compromising online stores of large US retailers since at least May 2019.
6 July 2020
Hackers are already attempting to exploit F5 BIG-IP vulnerability

Hackers are already attempting to exploit F5 BIG-IP vulnerability

Two days after the patches for the CVE-2020-5902 flaw have been issued security researchers have started releasing PoC exploits for the vulnerability.
6 July 2020