Microsoft has confirmed that a Node.js-based malware dubbed Nodersok has affected thousands of Windows PCs over several weeks. This new strain of malware performs click-fraud by installing a copy of Node.js framework and transforms systems into proxies.
The malware was first spotted by the Microsoft Defender ATP Research team back in mid-July.
According to Microsoft’s blog, Nodersok delivers its own LOLBins (living-off-the-land binaries) with two legitimate Windows tool to affect users:
- Node.exe – the Windows implementation of Node.js framework
- WinDivert – Windows Packer Divert, a user-mode packet capture-and-divert package deployed by Windows 2008, Windows 7, Windows 8 and Windows 10.
The data shared by Microsoft shows that the Nodersok campaign has mostly affected the parts of United States and Europe.
Education is the major sector affected by this Windows malware with a 42% share.
The malware not only adopts advanced fileless techniques but also uses and elusive network infrastructure that makes it difficult to spot for signature-based antivirus programs.
The attack is initiated when a user downloads an HTML application (HTA) file named Player1566444384.hta by clicking on a malicious link. The digits could be different for different instances of attack. The file packs a JavaScript code which downloads the second component of the malware — an XSL file. This file runs a PowerShell command to download additional malicious modules and the last stage involves dropping the JavaScript payload with some Node.js modules.
The last JavaScript for the Node.js framework turns the infected system into a “proxy zombie” which can be used by bad actors to perform malicious activities.
Microsoft says that machine learning models in the Windows Defender can detect the Nodersok malware in the initial stage. Therefore, we recommend users to keep their Windows Defender always enabled to evade this malicious malware.
Also Read: A New “Free VPN Service” Is In Town: Here’s How To Enable It
