Microsoft Spots Nodersok Malware Campaign That Zombifies PCs

Discussion in 'malware problems & news' started by guest, Sep 26, 2019.

  1. guest

    guest Guest

    Microsoft Spots Nodersok Malware Campaign That Zombifies PCs
    September 26, 2019
    https://www.bleepingcomputer.com/ne...nodersok-malware-campaign-that-zombifies-pcs/
    Microsoft: Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware
     
  2. guest

    guest Guest

    Cisco Talos named it "Divergent". Analysis:
    Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host
    SC Magazine: Fileless malware campaign abuses legit tools Node.js and WinDivert
     
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,897
    Location:
    The Netherlands
    But the thing is, it seems like Win Def AV can spot and block this malware right? But if this is the case, then why does this malware tries to disable Win Def. All of this text, but they forget to explain the main points.
     
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,095
    Location:
    Canada
    Script and ad blocker in the browser, restrict Powershell. The threat becomes a non-factor.

    EDIT

    heck, I didn't even mention how my SRP setup will block the .HTA file type.
     
    Last edited: Sep 28, 2019
  5. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,636
    Location:
    U.S.A.
    Has nothing to do with WD per se. It is targeting all AV software:

    Per the Talso blog posting:
    And just how does it know which AV processes to block outbound communication for:
    Right here I question this in regards to a number of third party AV's. Eset for example is quite "vocal" in announcing that its cloud connection is broken or that it can't connect to its update servers.
     
    Last edited: Sep 28, 2019
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,636
    Location:
    U.S.A.
    Also I am not impressed by this malware. For all its internal operation sophistication, its persistence mechanism is not:
     
  7. guest

    guest Guest

    Trend Micro named it "Novter":
    New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign
    October 1, 2019
    https://blog.trendmicro.com/trendla...istributed-by-kovcoreg-malvertising-campaign/
    Technical Brief (PDF - 1.10 MB): https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.