New Malware Campaigns Target Windows PC

Researchers at Microsoft Defender ATP Research and Cisco Talos revealed two new malware campaigns targeting unsuspecting victims in the United States and Europe.

Microsoft’s announcement came just a few days after the company released emergency security patches to fix two vulnerabilities last week.

The “fileless” malware dubbed as Nodersok discovered by the Microsoft researchers has its own LOLBins. These LOLBins (living-off-the-land binaries) are legitimate tools that exist on machines and exploited by attackers to manipulate the infected device.

Nodersok delivers two valuable, legitimate tools to infected machines: Node.exe and WinDivert.

Node.exe is a Windows implementation of Node.js framework used by many Windows applications, while WinDivert is a powerful network packet capture and manipulation utility.

On a separate post, the Cisco Talos researchers said that the fileless malware called Divergent also uses NodeJS and WinDivert to infect machines.

Both malware campaigns have the same purpose: to lure victims into downloading and running an HTML application (HTA) usually distributed via malicious advertisements.

Once the HTA got installed, it will trigger a sophisticated hacking process that’s difficult to trace because it utilizes existing legitimate tools (NodeJS and WinDivert).

How the Malware Campaigns Work

Nodersok Campaign

The new malware campaigns aim to turn infected computers into zombie proxies. According to Microsoft Defender ATP researchers, Nodersok has infected thousands of machines in the last several weeks.

Sixty percent of attacks happened in the U.S., while 21 percent reportedly occurred in the United Kingdom. Majority of the victims of the Nodersok campaign were from the education and the business and professional services sectors.

During their investigation, Microsoft researchers were able to piece together the infection chain of Nodersok. Here’s how it works:

Victim runs the HTA file by clicking on a malicious browser advertisement.
HTA file’s JavaScript code will download the second-stage component, which could be another JS file or an XSL file containing the second-stage JS file.
The second-stage file will launch a PowerShell command by hiding the encoded command text within an environment variable.
The PowerShell command will run additional encrypted components (Node.exe, WinDivert) that will disable Windows Defender Antivirus and Windows update. If the attempt is successful, the computer will then be turned into a zombie proxy.

Divergent Campaign

According to Cisco Talos researchers, the Divergent campaign is part of a previously undocumented malware payload. Like Nodersok, Divergent is a fileless malware that leaves little to no trace of its existence.

Aside from targeting regular individuals, Divergent could be used to attack corporate networks. The researchers noted that Divergent seemed to have been designed to conduct click-fraud.

Cisco researchers also reported the similarities between Divergent and another fileless malware called Kovter. Like the latter, Divergent relies heavily on a computer’s registry to stage and store configuration data, avoiding the conventional on-access endpoint disk files scanning.

Cisco Talos researchers explained:

“Installation begins by creating several registry keys containing the different parts of the loader as well as the data of the malware PE. The malware reads all the information embedded in its data section and creates three new randomly named registry keys, each holding a different stage of the loader code needed to execute the malware PE using reflective injection.”

Like the Nodersok malware, Divergent also attempts to disable Windows Defender and Windows Updates by executing three JS components. If successful, it will run the click fraud component using the WinDivert library.

Protecting Your Machine Against These Threats

It’s crucial to always keep your computers safe from these malware campaigns. Aside from running your Windows Defender ATP tools, installing third-party security apps like Cisco Advanced Malware Protection can also help stop these malware attacks.

But more than anything else, your machine’s security lies in your hands. Avoid browsing malicious websites and opening files from unknown sources. Also, make it a habit to scan your computer regularly.