INSUBCONTINENT EXCLUSIVE:
A new malware campaign responsible for infecting thousands of Windows PCs worldwide has been discovered by Microsoft.The Microsoft Defender
ATP Research Team found the malware, dubbed Nodersok, and explained in a blog post that it is distributed through malicious adverts which
force a Windows system to download HTZ files that are used in HTML apps.Once a user finds and clicks on the HTZ files on their system, this
starts a process that opens Powershell scripts, Excel and JavaScript to download and install the Nodersok malware.According to Microsoft,
the malware is fileless and utilizes living-off-the-land binaries (LOLBins) to tap into exiting tools and functionalities in a Windows
Nodersok then downloads legitimate modules such as Windivert.dll/sys and Node.exe from the Node.JS framework to carry out its work
However, malicious files and executables are never written to an infected machine's disk.After a system has been fully infected, Nodersok
can then turn it into a zombie-like proxy machine used to launch other cyberattacks and even create a relay server that can give hackers
access to command and control servers as well as other compromised devices
This helps hackers hide their activity from security researchers looking for suspicious behavior.In addition to Microsoft, Cisco's
security division Talos also discovered the malware and named it Divergent
Security researchers at the company found that the infected machines were being used to commit click fraud on targeted corporate networks.In
interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that
causes the attack to fly under the radar
We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP
Defender to detect the malware.Via The Inquirer
