Microsoft Spots Nodersok Malware Campaign That Zombifies PCs

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,256
A new fileless malicious campaign, dubbed Nodersok by Microsoft Defender ATP Research Team researchers who discovered it, drops its own LOLBins to infect Windows computers with a Node.js-based malware that will turn the devices into proxies.

Unlike other fileless malware attacks that only use living-off-the-land binaries (LOLBins) present on the devices they compromise, the attackers behind Nodersok have been observed while also delivering the legitimate Node.exe Node.js framework and the Windows Packet Divert (WinDivert) network packet capture tool to devices they target.

The campaign attacked thousands of machines within several weeks, with a focus on home users from U.S. and Europe, with roughly 3% of all attacks also targeting organization from industry sectors such as education, business and professional services, healthcare, finance, and retail.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
The infection chain:

Nodersok.png


Easily prevented by known on MT hardening tools. Hardly detected as 0-day by AVs due to multistage infection chain with several non-malicious files (mshta.exe, powershell.exe and downloaded legal tools node.exe, Windivert.dll/sys).
 

notabot

Level 15
Verified
Oct 31, 2018
703
The infection chain:

View attachment 225860

Easily prevented by known on MT hardening tools. Hardly detected as 0-day by AVs due to multistage infection chain with several non-malicious files (mshta.exe, powershell.exe and downloaded legal tools node.exe, Windivert.dll/sys).

probably missed by WD's behavioural blocker though and 3. probably missed by AMSI, else the attackers wouldn't worry about disabling Defdender at stage 4.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591

notabot

Level 15
Verified
Oct 31, 2018
703

If Defender was on and AMSI caught it at step 3, why have a step 4 to disable it :)

Their statement is "We have known this for quite a while, that’s why we have invested a good deal of resources into developing powerful dynamic detection engines and delivering a state-of-the-art defense-in-depth through Microsoft Defender ATP "

so before it was known malware and they invested a good deal of resources, when it was fairly new, the fact that the attacker only needed to disable at step 4 implies steps 1-3 ( and step 4 ofc ) had a free ride
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,591
If Defender was on and AMSI caught it at step 3, why have a step 4 to disable it :)

Their statement is "We have known this for quite a while, that’s why we have invested a good deal of resources into developing powerful dynamic detection engines and delivering a state-of-the-art defense-in-depth through Microsoft Defender ATP "

so before it was known malware and they invested a good deal of resources, when it was fairly new, the fact that the attacker only needed to disable at step 4 implies steps 1-3 ( and step 4 ofc ) had a free ride
You can read this as if the malware was delivered by skipping the previous stages of infection.
The first scripts are only to misguide AVs. The infection can start for example directly from PowerShell commands embedded in Office document via VBA macro.
Of course, anything can be bypassed, but assuming it by default is not justified.(y)

Edit.
I think that the infection chain and several malware file classifications are based on data from Machine Learning models when the malware was detonated in the sandbox.
 
Last edited:

oldschool

Level 85
Verified
Top Poster
Well-known
Mar 29, 2018
7,697

And M$ technical writers can appear very convincing when so inspired. It's too bad they don't offer such clear articles on consumer versions of Windows Defender. Instead, we rely on those like yourself to dig through all the available info scattered over the web and make some sense of it. Thanks as always @Andy Ful. (y) (y)
 

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Aug 17, 2014
11,256
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top