27 September 2019

Thousands of Windows PCs affected by rare Node.js-based malware


Thousands of Windows PCs affected by rare Node.js-based malware

Microsoft Defender ATP Research Team has spotted a new fileless malicious campaign that delivers its own LOLBins (living-off-the-land binaries) to infect Windows-based computers with a Node.js-based malware which will turn affected machines into proxies. Over the last several weeks the campaign dubbed Nodersok has impacted thousands of machines with most of targets located in the United States and Europe. The majority of targets are consumers, but nearly 3% of infections affected organizations in sectors such as education, professional services, healthcare, finance, and retail.

Unlike other fileless malware attacks that only use LOLBins present on the devices they compromise, the operators of the Nodersok campaign delivered two unusual, legitimate tools to infected hosts. One is Node.exe, the Windows implementation of the popular Node.js framework used by countless web applications, and the second is the Windows Packet Divert (WinDivert) network packet capture tool.

“The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar. We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry,” the researchers said.

To compromise computers, Nodersok uses multi-staged infection process, which starts with the victim browsing or clicking on a malicious ad containing an HTA (HTML Application) file. That HTA file contains Java Script code for downloading the second stage component. The second stage script launches a PowerShell command, which downloads and runs additional components such as a PowerShell module for disabling Windows Defender security solution and Windows Update, a shellcode for privileges elevation, the WinDivert and Node.exe tools, and a JavaScript module that turns the machine into proxy.

“Every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys). All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” the research team explained.

A more detailed technical analysis of the new threat is available in Microsoft blog post. Researchers from Cisco’s Talos have also published a report related to this malware, which they named Divergent.

Back to the list

Latest Posts

500 Chrome extensions secretly pilfered data from millions of users

500 Chrome extensions secretly pilfered data from millions of users

The extensions were part of a malvertising and ad-fraud campaign that has been active since at least since January 2019.
14 February 2020
Hamas-linked hackers target victims in Palestinian territories

Hamas-linked hackers target victims in Palestinian territories

The hackers exploit current geopolitical events to spy on Palestinian entities and individuals.
13 February 2020
The Outlaw hacking group returns with updated kit, targets businesses in the U.S and Europe

The Outlaw hacking group returns with updated kit, targets businesses in the U.S and Europe

The group used a combination of pre-existing tools and new techniques to monitor for programs that could detect its malware.
13 February 2020