Microsoft Spots Nodersok Malware Campaign That Zombifies PCs

silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,272
Content source
https://www.bleepingcomputer.com/news/security/microsoft-spots-nodersok-malware-campaign-that-zombifies-pcs/
A new fileless malicious campaign, dubbed Nodersok by Microsoft Defender ATP Research Team researchers who discovered it, drops its own LOLBins to infect Windows computers with a Node.js-based malware that will turn the devices into proxies.

Unlike other fileless malware attacks that only use living-off-the-land binaries (LOLBins) present on the devices they compromise, the attackers behind Nodersok have been observed while also delivering the legitimate Node.exe Node.js framework and the Windows Packet Divert (WinDivert) network packet capture tool to devices they target.

The campaign attacked thousands of machines within several weeks, with a focus on home users from U.S. and Europe, with roughly 3% of all attacks also targeting organization from industry sectors such as education, business and professional services, healthcare, finance, and retail.
Click to expand...
www.bleepingcomputer.com

Microsoft Spots Nodersok Malware Campaign That Zombifies PCs

A new fileless malicious campaign, dubbed Nodersok by Microsoft Defender ATP Research Team researchers who discovered it, drops its own LOLBins to infect Windows computers with a Node.js-based malware that will turn the devices into proxies.
www.bleepingcomputer.com www.bleepingcomputer.com
www.microsoft.com

Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware | Microsoft Security Blog

A new fileless malware campaign we dubbed Nodersok delivers two very unusual LOLBins to turn infected machines into zombie proxies.
www.microsoft.com www.microsoft.com
 
  • Like
  • +Reputation
Reactions: bayasdev, Venustus, Fel Grossi and 7 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,191
The infection chain:

Nodersok.png


Easily prevented by known on MT hardening tools. Hardly detected as 0-day by AVs due to multistage infection chain with several non-malicious files (mshta.exe, powershell.exe and downloaded legal tools node.exe, Windivert.dll/sys).
 
  • Like
  • Thanks
  • +Reputation
Reactions: Burrito, Gandalf_The_Grey, [correlate] and 6 others
N

notabot

Level 15
Verified
Oct 31, 2018
703
Andy Ful said:
The infection chain:

View attachment 225860

Easily prevented by known on MT hardening tools. Hardly detected as 0-day by AVs due to multistage infection chain with several non-malicious files (mshta.exe, powershell.exe and downloaded legal tools node.exe, Windivert.dll/sys).
Click to expand...

probably missed by WD's behavioural blocker though and 3. probably missed by AMSI, else the attackers wouldn't worry about disabling Defdender at stage 4.
 
  • Like
Reactions: [correlate], silversurfer, Venustus and 3 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,191
  • Like
Reactions: [correlate], silversurfer, Venustus and 4 others
N

notabot

Level 15
Verified
Oct 31, 2018
703
Andy Ful said:
Not in the opinion of Microsoft: Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware - Microsoft Security

View attachment 225861
Click to expand...

If Defender was on and AMSI caught it at step 3, why have a step 4 to disable it :)

Their statement is "We have known this for quite a while, that’s why we have invested a good deal of resources into developing powerful dynamic detection engines and delivering a state-of-the-art defense-in-depth through Microsoft Defender ATP "

so before it was known malware and they invested a good deal of resources, when it was fairly new, the fact that the attacker only needed to disable at step 4 implies steps 1-3 ( and step 4 ofc ) had a free ride
 
  • Like
Reactions: [correlate], silversurfer, Venustus and 4 others
Andy Ful

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,191
notabot said:
If Defender was on and AMSI caught it at step 3, why have a step 4 to disable it :)

Their statement is "We have known this for quite a while, that’s why we have invested a good deal of resources into developing powerful dynamic detection engines and delivering a state-of-the-art defense-in-depth through Microsoft Defender ATP "

so before it was known malware and they invested a good deal of resources, when it was fairly new, the fact that the attacker only needed to disable at step 4 implies steps 1-3 ( and step 4 ofc ) had a free ride
Click to expand...
You can read this as if the malware was delivered by skipping the previous stages of infection.
The first scripts are only to misguide AVs. The infection can start for example directly from PowerShell commands embedded in Office document via VBA macro.
Of course, anything can be bypassed, but assuming it by default is not justified.(y)

Edit.
I think that the infection chain and several malware file classifications are based on data from Machine Learning models when the malware was detonated in the sandbox.
 
Last edited:
  • Like
Reactions: [correlate], silversurfer, Venustus and 4 others
oldschool

oldschool

Level 82
Verified
Top Poster
Well-known
Mar 29, 2018
7,156
Andy Ful said:
Not in the opinion of Microsoft: Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware - Microsoft Security
Click to expand...

And M$ technical writers can appear very convincing when so inspired. It's too bad they don't offer such clear articles on consumer versions of Windows Defender. Instead, we rely on those like yourself to dig through all the available info scattered over the web and make some sense of it. Thanks as always @Andy Ful. (y) (y)
 
  • Like
Reactions: Gandalf_The_Grey, blackice, [correlate] and 6 others
silversurfer

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,272
blog.talosintelligence.com

Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host

Update (09/27/2019): Additional information regarding the malware interaction with various online advertisements has been included to highlight the click-fraud related network communications associated with Divergent. Executive summary Cisco Talos recently discovered a new malware loader...
blog.talosintelligence.com blog.talosintelligence.com
 
  • Like
Reactions: Andy Ful, Venustus, upnorth and 4 others
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
Hackers Using MSIX App Packages to Infect Windows PCs with GHOSTPULSE Malware
Replies
0
Views
624
News Archive
silversurfer
silversurfer
MuzzMelbourne
    • Like
Microsoft: Hackers hijack Linux systems using trojanized OpenSSH version
Replies
0
Views
1,045
News Archive
MuzzMelbourne
MuzzMelbourne
Gandalf_The_Grey
    • Like
    • Wow
    • +Reputation
Emotet malware now distributed in Microsoft OneNote files to evade defenses
Replies
15
Views
1,291
News Archive
ForgottenSeer 98186
F

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top