27 September 2019

Thousands of Windows PCs affected by rare Node.js-based malware

Thousands of Windows PCs affected by rare Node.js-based malware

Microsoft Defender ATP Research Team has spotted a new fileless malicious campaign that delivers its own LOLBins (living-off-the-land binaries) to infect Windows-based computers with a Node.js-based malware which will turn affected machines into proxies. Over the last several weeks the campaign dubbed Nodersok has impacted thousands of machines with most of targets located in the United States and Europe. The majority of targets are consumers, but nearly 3% of infections affected organizations in sectors such as education, professional services, healthcare, finance, and retail.

Unlike other fileless malware attacks that only use LOLBins present on the devices they compromise, the operators of the Nodersok campaign delivered two unusual, legitimate tools to infected hosts. One is Node.exe, the Windows implementation of the popular Node.js framework used by countless web applications, and the second is the Windows Packet Divert (WinDivert) network packet capture tool.

“The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar. We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry,” the researchers said.

To compromise computers, Nodersok uses multi-staged infection process, which starts with the victim browsing or clicking on a malicious ad containing an HTA (HTML Application) file. That HTA file contains Java Script code for downloading the second stage component. The second stage script launches a PowerShell command, which downloads and runs additional components such as a PowerShell module for disabling Windows Defender security solution and Windows Update, a shellcode for privileges elevation, the WinDivert and Node.exe tools, and a JavaScript module that turns the machine into proxy.

“Every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys). All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” the research team explained.

A more detailed technical analysis of the new threat is available in Microsoft blog post. Researchers from Cisco’s Talos have also published a report related to this malware, which they named Divergent.

Back to the list

Latest Posts

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

Winnti Group uses new modular Windows backdoor against the gaming industry in Asia

The hacking group was planning a "devastating supply-chain attack" against a high-profile Asian mobile hardware and software manufacturer.
15 October 2019
FIN7 cybercriminal group returns with new tools and evasion techniques

FIN7 cybercriminal group returns with new tools and evasion techniques

The researchers discovered a new loader and a module that exploits the legitimate remote administration software used by the ATM maker NCR Corporation.
14 October 2019
New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

New espionage campaign targets diplomatic missions and governmental institutions in Eastern Europe

The Attor malware comes with some unusual capabilities including the use of encrypted modules, Tor-based communications, and a plugin designed for GSM fingerprinting.
11 October 2019
Featured vulnerabilities
Multiple vulnerabilities in ncurses
High Patched | 15 Oct, 2019
Cross-site scripting in NetCommons3
Low Not Patched | 15 Oct, 2019