Upcoming Virtual Event: Cloud Security Summit | July 17 - Register Now
Connect with us

Hi, what are you looking for?



Malware Delivery Campaign Employs Advanced Fileless Techniques

A recently observed malware delivery campaign employs advanced fileless techniques and an elusive network infrastructure that allows it to remain largely undetected.

A recently observed malware delivery campaign employs advanced fileless techniques and an elusive network infrastructure that allows it to remain largely undetected.

The campaign, which Microsoft refers to as Nodersok, abuses two legitimate tools that it drops onto the infected machines, namely Node.exe, the Windows implementation of the popular Node.js framework, and WinDivert, a network packet capture and manipulation utility.

Over the past several weeks, thousands of machines were impacted by the campaign, most of them located in the United States and Europe. Around 3% of the infected systems are within organizations, but the attack has mainly targeted consumers, Microsoft says.

The attack starts with the delivery of an HTML Application (HTA), most likely through compromised advertisements. The file attempts to connect to a randomly named domain to download additional JavaScript code that attempts to retrieve content from the command and control (C&C) server.

The downloaded file then attempts to contact the remote C&C domain to download an RC4-encrypted file and a decryption key. The file is an additional JavaScript snippet that starts a malicious PowerShell script.

The infection process continues to the launch of additional PowerShell scripts to download and run several encrypted modules that are decrypted on the fly before being executed. One of the modules attempts to disable Windows Defender Antivirus and Windows updates, then run binary shellcode that attempts elevation of privilege.

One of the PowerShell stages downloads the legitimate node.exe tool, while another drops WinDivert packet capture library components. Another PowerShell component executes a shellcode to use WinDivert for the filtering and modification of certain outgoing packets.

In the end, a JavaScript payload along with some Node.js modules and libraries are dropped onto the infected machine, and node.exe is leveraged for execution.

Advertisement. Scroll to continue reading.

The purpose of this attack, Microsoft says, was to turn the infected machines into zombie proxies. The attackers can then abuse these proxies to access websites, C&C servers and compromised machines, and perform stealthy malicious activities.

The WinDivert tool is used to intercept packets sent out to initiate a TCP connection and modify them in a manner that likely benefits the attackers.

The attack was also uncovered and analyzed by Talos’ security researchers, who call the malware installed at the final stage Divergent. They also explain that the initial version of the attack delivered and executed components as JScript, and only newer variants switched to the multi-stage PowerShell scripts.

Commands and parameters supported by the C&C protocol used by Divergent allow it to kill a process it has initiated and remove corresponding files, kill the process of a specified component, and execute a file if a component already exists.

The malware can also pull additional configuration data from specific registry keys, then send additional requests to download specified files, write them to disk, and then execute them, Talos says.

The attackers behind this campaign can abuse the infected machines to perform click fraud, the security researchers also note.

“Both the distributed network infrastructure and the advanced fileless techniques allowed this campaign fly under the radar for a while, highlighting how having the right defensive technologies is of utmost importance in order to detect and counter these attacks in a timely manner,” Microsoft concludes.

Related: Fileless Attack Attempts to Run Astaroth Backdoor Directly in Memory

Related: Fileless Malware Attacks on the Rise, Microsoft Says

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Learn how to utilize tools, controls, and design models needed to properly secure cloud environments.


Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.


People on the Move

Craig Boundy has left Experian to join McAfee as President and CEO.

Forcepoint has promoted Ryan Windham from Chief Customer and Strategy Officer to Chief Executive Officer.

ICS and OT cybersecurity solutions provider TXOne Networks appointed Stephen Driggers as its new CRO.

More People On The Move

Expert Insights