Microsoft has confirmed that a Node.js-based malware dubbed Nodersok has affected thousands of Windows PCs over several weeks. This new strain of malware performs click-fraud by installing a copy of Node.js framework and transforms systems into proxies.
The malware was first spotted by the Microsoft Defender ATP Research team back in mid-July.
According to Microsoft’s blog, Nodersok delivers its own LOLBins (living-off-the-land binaries) with two legitimate Windows tool to affect users:
- Node.exe – the Windows implementation of Node.js framework
- WinDivert – Windows Packer Divert, a user-mode packet capture-and-divert package deployed by Windows 2008, Windows 7, Windows 8 and Windows 10.
The data shared by Microsoft shows that the Nodersok campaign has mostly affected the parts of United States and Europe.
Education is the major sector affected by this Windows malware with a 42% share.
The malware not only adopts advanced fileless techniques but also uses and elusive network infrastructure that makes it difficult to spot for signature-based antivirus programs.
Microsoft says that machine learning models in the Windows Defender can detect the Nodersok malware in the initial stage. Therefore, we recommend users to keep their Windows Defender always enabled to evade this malicious malware.