MICROSOFT HAS UNCOVERED malware that's been infecting thousands of Windows PCs across the world and effectively turning them into zombie machines.
The Microsoft Defender ATP Research Team researchers said the malware, named Nodersok, is distributed through malicious adverts that force a Windows machine to download HTZ files, which are used in HTML apps.
Microsoft described the malware as fileless as it uses living-off-the-land binaries (LOLBins) tapping into existing tools and functionalities in a machine and downloads legitimate modules like Windivert.dll/sys and Node.exe from the Node.JS framework to carry out its malicious work. At no point are malicious files or executables ever written to an infected machine's disk.
"The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar," Microsoft's researchers added.
"We uncovered this campaign in mid-July when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry."
Every step of #Nodersok's infection chain runs only legitimate executables. All relevant functionalities reside in scripts and shellcodes that come in encrypted and are decrypted and run while only in memory. More in our analysis of this #fileless threat: https://t.co/d4XC5dQeg7— Microsoft Security Intelligence (@MsftSecIntel) 27 September 2019
Once a computer is fully infected, Nodersok can turn them into proxy machines for launching other cyber attacks, and form relay server than can provide the hackers access to the rest of their hacking infrastructures such as command and control servers and other compromised devices, thereby better hiding their footprints form cybersecurity researchers.
Cisco's Talos security division also discovered the malware and dubbed it Divergent. The boffins from the company noted that the infected machines were being used to commit advertising click-fraud on targeted corporate networks.
Regardless of whether the infected machines were used to create zombies or commit fraud, the nature of the malware means its handlers could equip it with new modules to facilitate other attacks.
Microsoft has updated the Windows Defender to spot Nodersok, so you can breathe easy. But the whole thing showcases how sophisticated, and arguably slick, malware is getting. µ
Watch your back, Huawei
Porn-based prattery gets fisted
As long as it follows the rules
The Home in the home could be a legal minefield