Microsoft Spots Nodersok Malware Campaign That Zombifies PCs

silversurfer

silversurfer

Super Moderator
Thread author
Verified
Top Poster
Staff Member
Malware Hunter
Forum Veteran
Aug 17, 2014
13,214
126,313
8,399
Content source
https://www.bleepingcomputer.com/news/security/microsoft-spots-nodersok-malware-campaign-that-zombifies-pcs/
A new fileless malicious campaign, dubbed Nodersok by Microsoft Defender ATP Research Team researchers who discovered it, drops its own LOLBins to infect Windows computers with a Node.js-based malware that will turn the devices into proxies.

Unlike other fileless malware attacks that only use living-off-the-land binaries (LOLBins) present on the devices they compromise, the attackers behind Nodersok have been observed while also delivering the legitimate Node.exe Node.js framework and the Windows Packet Divert (WinDivert) network packet capture tool to devices they target.

The campaign attacked thousands of machines within several weeks, with a focus on home users from U.S. and Europe, with roughly 3% of all attacks also targeting organization from industry sectors such as education, business and professional services, healthcare, finance, and retail.
Click to expand...
www.bleepingcomputer.com

Microsoft Spots Nodersok Malware Campaign That Zombifies PCs

A new fileless malicious campaign, dubbed Nodersok by Microsoft Defender ATP Research Team researchers who discovered it, drops its own LOLBins to infect Windows computers with a Node.js-based malware that will turn the devices into proxies.
www.bleepingcomputer.com www.bleepingcomputer.com
www.microsoft.com

Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware | Microsoft Security Blog

A new fileless malware campaign we dubbed Nodersok delivers two very unusual LOLBins to turn infected machines into zombie proxies.
www.microsoft.com
 
  • Like
  • +Reputation
Reactions: bayasdev, Venustus, Fel Grossi and 7 others
The infection chain:

Nodersok.png


Easily prevented by known on MT hardening tools. Hardly detected as 0-day by AVs due to multistage infection chain with several non-malicious files (mshta.exe, powershell.exe and downloaded legal tools node.exe, Windivert.dll/sys).
 
  • Like
  • Thanks
  • +Reputation
Reactions: Burrito, Gandalf_The_Grey, [correlate] and 6 others
Andy Ful said:
The infection chain:

View attachment 225860

Easily prevented by known on MT hardening tools. Hardly detected as 0-day by AVs due to multistage infection chain with several non-malicious files (mshta.exe, powershell.exe and downloaded legal tools node.exe, Windivert.dll/sys).
Click to expand...

probably missed by WD's behavioural blocker though and 3. probably missed by AMSI, else the attackers wouldn't worry about disabling Defdender at stage 4.
 
  • Like
Reactions: [correlate], silversurfer, Venustus and 3 others
  • Like
Reactions: [correlate], silversurfer, Venustus and 4 others
Andy Ful said:
Not in the opinion of Microsoft: Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware - Microsoft Security

View attachment 225861
Click to expand...

If Defender was on and AMSI caught it at step 3, why have a step 4 to disable it :)

Their statement is "We have known this for quite a while, that’s why we have invested a good deal of resources into developing powerful dynamic detection engines and delivering a state-of-the-art defense-in-depth through Microsoft Defender ATP "

so before it was known malware and they invested a good deal of resources, when it was fairly new, the fact that the attacker only needed to disable at step 4 implies steps 1-3 ( and step 4 ofc ) had a free ride
 
  • Like
Reactions: [correlate], silversurfer, Venustus and 4 others
notabot said:
If Defender was on and AMSI caught it at step 3, why have a step 4 to disable it :)

Their statement is "We have known this for quite a while, that’s why we have invested a good deal of resources into developing powerful dynamic detection engines and delivering a state-of-the-art defense-in-depth through Microsoft Defender ATP "

so before it was known malware and they invested a good deal of resources, when it was fairly new, the fact that the attacker only needed to disable at step 4 implies steps 1-3 ( and step 4 ofc ) had a free ride
Click to expand...
You can read this as if the malware was delivered by skipping the previous stages of infection.
The first scripts are only to misguide AVs. The infection can start for example directly from PowerShell commands embedded in Office document via VBA macro.
Of course, anything can be bypassed, but assuming it by default is not justified.(y)

Edit.
I think that the infection chain and several malware file classifications are based on data from Machine Learning models when the malware was detonated in the sandbox.
 
Last edited:
  • Like
Reactions: [correlate], silversurfer, Venustus and 4 others
Andy Ful said:
Not in the opinion of Microsoft: Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware - Microsoft Security
Click to expand...

And M$ technical writers can appear very convincing when so inspired. It's too bad they don't offer such clear articles on consumer versions of Windows Defender. Instead, we rely on those like yourself to dig through all the available info scattered over the web and make some sense of it. Thanks as always @Andy Ful. (y) (y)
 
  • Like
Reactions: Gandalf_The_Grey, blackice, [correlate] and 6 others
blog.talosintelligence.com

Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host

Update (09/27/2019): Additional information regarding the malware interaction with various online advertisements has been included to highlight the click-fraud related network communications associated with Divergent. Executive summary Cisco Talos recently discovered a new malware loader...
blog.talosintelligence.com blog.talosintelligence.com
 
  • Like
Reactions: Andy Ful, Venustus, upnorth and 4 others
You must log in or register to reply here.

You may also like...