Thousands of Windows computers across the world have been infected with a new strain of malware that downloads and installs a copy of the Node.js framework to convert infected systems into proxies and perform click-fraud.
The malware, named Nodersok (in a Microsoft report) and Divergent (in a Cisco Talos report), was first spotted over the summer, distributed via malicious ads that forcibly downloaded HTA (HTML application) files on users’ computers.
The malware itself has multiple components, each with its own role. There’s a PowerShell module that tries to disable Windows Defender and Windows Update, and there’s a component for elevating the malware’s permissions to SYSTEM level.
According to Microsoft and Cisco reports, the malware uses the two legitimate apps to start a SOCKS proxy on infected hosts. But here is where the reports diverge. Microsoft claims the malware turns infected hosts into proxies to relay malicious traffic. Cisco, on the other hand, says these proxies are used to perform click-fraud.
Nevertheless, malware is malware, and it’s not a good sign when someone gets infected, despite the output. Just like any other malware strain built on a client-server architecture, Nodersok’s creators could, at any point, deploy other modules to perform additional tasks, or even deploy secondary malware payloads like ransomware or banking trojans.
Since Microsoft found the malware, Windows Defender should also be able to spot it.
To prevent infections, the best advice is that users not run any HTA files they find on their computers, especially if they don’t know the files’ precise origin. Files downloaded from a web page out of the blue are always a bad sign and shouldn’t be trusted, regardless of extension.
According to Microsoft telemetry, Nodersok has managed to already infect “thousands of machines in the last several weeks.” Most of the infections have taken place this month, and have hit US and EU-based users, the company said.
The tricky part about Nodersok is, however, its use of legitimate apps and in-memory payloads (fileless execution). These two techniques make detecting Nodersok infections much harder for classic signature-based antivirus programs.
However, Microsoft says that Nodersok’s post-infection behavior “produced is a visible footprint that stands out clearly for anyone who knows where to look,” which should provide security firms with at least a method of detecting the malware at a later point.
Based on Cisco Talos’ analysis, the malware appears to be still under development, but the threat actors behind it seem to have a plan to monetize their infections through click-fraud, which means the malware is most likely here to stay.