Windows malware turns PCs into zombies
Nodersok malware has already infected thousands of Windows PCs
A new malware campaign responsible for infecting thousands of Windows PCs worldwide has been discovered by Microsoft.
The Microsoft Defender ATP Research Team found the malware, dubbed Nodersok, and explained in a blog post that it is distributed through malicious adverts which force a Windows system to download HTZ files that are used in HTML apps.
Once a user finds and clicks on the HTZ files on their system, this starts a process that opens Powershell scripts, Excel and JavaScript to download and install the Nodersok malware.
- US government is working on mysterious malware detection project
- Major rise in password-stealing malware detected
- Microsoft ups cloud security with Azure Sentinel launch
According to Microsoft, the malware is fileless and utilizes living-off-the-land binaries (LOLBins) to tap into exiting tools and functionalities in a Windows System. Nodersok then downloads legitimate modules such as Windivert.dll/sys and Node.exe from the Node.JS framework to carry out its work. However, malicious files and executables are never written to an infected machine's disk.
Nodersok malware
After a system has been fully infected, Nodersok can then turn it into a zombie-like proxy machine used to launch other cyberattacks and even create a relay server that can give hackers access to command and control servers as well as other compromised devices. This helps hackers hide their activity from security researchers looking for suspicious behavior.
In addition to Microsoft, Cisco's security division Talos also discovered the malware and named it Divergent. Security researchers at the company found that the infected machines were being used to commit click fraud on targeted corporate networks.
In its blog post, Microsoft researchers explained how they discovered the Nodersok malware campaign, saying:
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar. We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry.”
For those concerned about their systems being infected by Nodersok, Microsoft has updated its free antivirus software Microsoft Defender to detect the malware.
- We've also highlighted the best antivirus software of 2019
Via The Inquirer
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.