Microsoft Spots Nodersok Malware Campaign That Zombifies PCs September 26, 2019 https://www.bleepingcomputer.com/ne...nodersok-malware-campaign-that-zombifies-pcs/ Microsoft: Bring your own LOLBin: Multi-stage, fileless Nodersok campaign delivers rare Node.js-based malware
Cisco Talos named it "Divergent". Analysis: Divergent: "Fileless" NodeJS Malware Burrows Deep Within the Host SC Magazine: Fileless malware campaign abuses legit tools Node.js and WinDivert
But the thing is, it seems like Win Def AV can spot and block this malware right? But if this is the case, then why does this malware tries to disable Win Def. All of this text, but they forget to explain the main points.
Script and ad blocker in the browser, restrict Powershell. The threat becomes a non-factor. EDIT heck, I didn't even mention how my SRP setup will block the .HTA file type.
Has nothing to do with WD per se. It is targeting all AV software: Per the Talso blog posting: And just how does it know which AV processes to block outbound communication for: Right here I question this in regards to a number of third party AV's. Eset for example is quite "vocal" in announcing that its cloud connection is broken or that it can't connect to its update servers.
Also I am not impressed by this malware. For all its internal operation sophistication, its persistence mechanism is not:
Trend Micro named it "Novter": New Fileless Botnet Novter Distributed by KovCoreG Malvertising Campaign October 1, 2019 https://blog.trendmicro.com/trendla...istributed-by-kovcoreg-malvertising-campaign/ Technical Brief (PDF - 1.10 MB): https://documents.trendmicro.com/assets/Tech-Brief-New-Fileless-Botnet-Novter-Distributed-by-KovCoreG-Malvertising-Campaign.pdf