Warning over Divergent/Nodersok malware that turns PCs into cyber crime accomplices

The fileless malware identified by Microsoft and Cisco Talos has already infected thousands of PCs across the US and Europe

Security researchers have discovered a new strain of fileless malware that can turn an infected system into "zombies" or "bots" to aid hackers in other attacks.

The malware was recently discovered by researchers at Microsoft and Cisco Talos, who named it Nodersok and "Divergent", respectively.

According to researchers, the malware has already infected thousands of PCs across the US and Europe.

Nodersok compromises a system after a user downloads and runs an HTML application (HTA) file likely distributed via malicious ads.

After infecting the system, Nodersok disables Windows Defender and sets up a proxy server, which can be used by the attackers to launch other cyber attacks.

These proxies are also used by the attackers as "a relay to access other network entities (websites, command and control servers, compromised machines and so on), which can allow them to perform stealthy malicious activities."

In order to achieve its ultimate goal, Nodersok uses two legitimate tools: WinDivert and Node.exe. WinDivert is used in VPN, firewall and content filtering apps to capture and divert network packets.

Node.exe is part of cross-platform Node.js environment that is used to execute Javascript outside of a web browser.

All significant functionalities of Nodersok reside in encrypted shellcodes and scripts. These shellcodes and scripts are decrypted and executed in memory only and are never written to the local disk. That is the reason why such attacks are known as "fileless" campaigns, which are harder for security software to properly detect.

According to Cisco Talos researchers, the primary purpose of Nodersok is to facilitate advertising click fraud which, they believe, cost advertisers nearly $19 billion in 2018 alone.

They also found a number of features in Nodersok which were earlier observed in other click-fraud malware as well, such as Kovter.

"Like Kovter, it relies heavily on the registry for staging and storage of configuration data while avoiding more traditional on-access endpoint scanning of files on disk. It also uses a key in the registry to maintain persistence, and relies on PowerShell to install itself on the infected host," the Cisco Talos researchers said in a blog post.

The researchers also believe that the malware is still under active development.

Microsoft has advised people to avoid running HTA files on their systems, especially those files that look suspicious and whose origin is difficult to be determined.