Microsoft Spots Nodersok Malware Campaign That Zombifies PCs

guest · Sep 26, 2019

Microsoft Spots Nodersok Malware Campaign That Zombifies PCs
September 26, 2019
https://www.bleepingcomputer.com/ne...nodersok-malware-campaign-that-zombifies-pcs/

A new fileless malicious campaign, dubbed Nodersok by Microsoft Defender ATP Research Team researchers who discovered it, drops its own LOLBins to infect Windows computers with a Node.js-based malware that will turn the devices into proxies.

Unlike other fileless malware attacks that only use living-off-the-land binaries (LOLBins) present on the devices they compromise, the attackers behind Nodersok have been observed while also delivering the legitimate Node.exe Node.js framework and the Windows Packet Divert (WinDivert) network packet capture tool to devices they target.

The campaign attacked thousands of machines within several weeks, with a focus on home users from U.S. and Europe, with roughly 3% of all attacks also targeting organization from industry sectors such as education, business and professional services, healthcare, finance, and retail.

"The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar," found the Microsoft researchers.
Click to expand...

According to the Microsoft Defender ATP Research Team, "every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys)."

"All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk."
Click to expand...

Microsoft: Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware

guest · Sep 28, 2019

Cisco Talos named it "Divergent". Analysis:
Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host

Cisco Talos recently discovered a new malware loader being used to deliver and infect systems with a previously undocumented malware payload called "Divergent."
This threat uses NodeJS — a program that executes JavaScript outside of a web browser — as well as the legitimate open-source utility WinDivert to facilitate some of the functionality in the Divergent malware. The use of NodeJS is not something commonly seen across malware families.

Divergent is a malware family designed to generate revenue for attackers via the use of click-fraud, similar to other click-fraud malware such as Kovter. Technical details associated with both the installation and operation of the Divergent malware are described in the following sections.
Click to expand...

SC Magazine: Fileless malware campaign abuses legit tools Node.js and WinDivert

Microsoft and Talos diverge on what the actual purpose of Divergence is. The former believes its purpose is to turn infected machines into zombie proxies, while the latter believes click fraud is the end game, noting that the malware is similar to other fileless malware families, especially Kovter. Fileless malware programs that use legitimate tool to function are considered a particularly troublesome threat because it allows attackers to reduce their footprint and give threat researchers little forensic evidence to work with.
Click to expand...

Rasheed187 · Sep 28, 2019

But the thing is, it seems like Win Def AV can spot and block this malware right? But if this is the case, then why does this malware tries to disable Win Def. All of this text, but they forget to explain the main points.

wat0114 · Sep 28, 2019

Script and ad blocker in the browser, restrict Powershell. The threat becomes a non-factor.

EDIT

heck, I didn't even mention how my SRP setup will block the .HTA file type.

itman · Sep 28, 2019

Rasheed187 said: ↑

But if this is the case, then why does this malware tries to disable Win Def.
Click to expand...

Has nothing to do with WD per se. It is targeting all AV software:

Per the Talso blog posting:

Block AV component

The block_av_01 component attempts to block anti-virus software from receiving updates by blocking all outbound TCP connections on port 80 and port 443. With older revisions of this malware package, this functionality was delivered via a JScript file named bav01.js but in newer versions, this has been seen delivered by PowerShell in the fake PNG trpl.png (see Fake PNG PowerShell Delivery).
Click to expand...

And just how does it know which AV processes to block outbound communication for:

To achieve its anti-virus blocking, the reflectively loaded PE periodically checks the names of all running processes against a predefined list. If any process names appear in the list, the PIDs are added to the filter string passed to WinDivertOpen which will block all traffic to that process on remote ports 80 or 443.
Click to expand...

Right here I question this in regards to a number of third party AV's. Eset for example is quite "vocal" in announcing that its cloud connection is broken or that it can't connect to its update servers.

itman · Sep 28, 2019

Also I am not impressed by this malware. For all its internal operation sophistication, its persistence mechanism is not:

Next, the HTA loader is written to the CSIDL_COMMON_APPDATA folder (typically C:\ProgramData\) and set to execute each time the user logs on by adding an entry to the "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" registry key.
Click to expand...

guest · Oct 1, 2019

Trend Micro named it "Novter":
New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign
October 1, 2019
https://blog.trendmicro.com/trendla...istributed-by-kovcoreg-malvertising-campaign/

We found a new modular fileless botnet malware, which we named “Novter,” (also reported and known as “Nodersok” and “Divergent”) that the KovCoreG campaign has been distributing since March.
KovCoreG’s attack chain
KovCoreG’s attacks are socially engineered malvertisments that lure unwitting users into downloading a software package needed to update their supposedly out-of-date Adobe Flash application. However, it instead drops a malicious HTML application (HTA) file named Player{timestamp}.hta

The PowerShell script, in turn, will disable Windows Defender and Windows Update processes. It runs a shellcode to bypass User Account Control (UAC) via the CMSTPLUA COM interface (related to connection management). The PowerShell script is also embedded with Novter, which will be executed filelessly via the PowerShell reflective injection technique.
Analysis of Novter’s module “Nodster”
The module installs NodeJS on the victim’s machine and executes a NodeJS script “app.js” in the background. The script will connect to an embedded C&C server address and receive the second C&C server address.[...]
Click to expand...

Technical Brief (PDF - 1.10 MB): https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf

Log in or Sign up

Microsoft Spots Nodersok Malware Campaign That Zombifies PCs

guest Guest

guest Guest

Rasheed187 Registered Member

wat0114 Registered Member

itman Registered Member

itman Registered Member

guest Guest

Log in or Sign up

Microsoft Spots Nodersok Malware Campaign That Zombifies PCs

guest Guest

guest Guest

Rasheed187 Registered Member

wat0114 Registered Member

itman Registered Member

itman Registered Member

guest Guest

Useful Searches