A recently observed malware delivery campaign employs advanced fileless techniques and an elusive network infrastructure that allows it to remain largely undetected.
The campaign, which Microsoft refers to as Nodersok, abuses two legitimate tools that it drops onto the infected machines, namely Node.exe, the Windows implementation of the popular Node.js framework, and WinDivert, a network packet capture and manipulation utility.
Over the past several weeks, thousands of machines were impacted by the campaign, most of them located in the United States and Europe. Around 3% of the infected systems are within organizations, but the attack has mainly targeted consumers, Microsoft says.
The attack starts with the delivery of an HTML Application (HTA), most likely through compromised advertisements. The file attempts to connect to a randomly named domain to download additional JavaScript code that attempts to retrieve content from the command and control (C&C) server.
The downloaded file then attempts to contact the remote C&C domain to download an RC4-encrypted file and a decryption key. The file is an additional JavaScript snippet that starts a malicious PowerShell script.
The infection process continues to the launch of additional PowerShell scripts to download and run several encrypted modules that are decrypted on the fly before being executed. One of the modules attempts to disable Windows Defender Antivirus and Windows updates, then run binary shellcode that attempts elevation of privilege.
One of the PowerShell stages downloads the legitimate node.exe tool, while another drops WinDivert packet capture library components. Another PowerShell component executes a shellcode to use WinDivert for the filtering and modification of certain outgoing packets.
In the end, a JavaScript payload along with some Node.js modules and libraries are dropped onto the infected machine, and node.exe is leveraged for execution.
The purpose of this attack, Microsoft says, was to turn the infected machines into zombie proxies. The attackers can then abuse these proxies to access websites, C&C servers and compromised machines, and perform stealthy malicious activities.
The WinDivert tool is used to intercept packets sent out to initiate a TCP connection and modify them in a manner that likely benefits the attackers.
The attack was also uncovered and analyzed by Talos’ security researchers, who call the malware installed at the final stage Divergent. They also explain that the initial version of the attack delivered and executed components as JScript, and only newer variants switched to the multi-stage PowerShell scripts.
Commands and parameters supported by the C&C protocol used by Divergent allow it to kill a process it has initiated and remove corresponding files, kill the process of a specified component, and execute a file if a component already exists.
The malware can also pull additional configuration data from specific registry keys, then send additional requests to download specified files, write them to disk, and then execute them, Talos says.
The attackers behind this campaign can abuse the infected machines to perform click fraud, the security researchers also note.
“Both the distributed network infrastructure and the advanced fileless techniques allowed this campaign fly under the radar for a while, highlighting how having the right defensive technologies is of utmost importance in order to detect and counter these attacks in a timely manner,” Microsoft concludes.
Related: Fileless Attack Attempts to Run Astaroth Backdoor Directly in Memory
Related: Fileless Malware Attacks on the Rise, Microsoft Says
