New Nodersok malware contains Node.js and WinDivert

A malware,named Nodersok (According to Microsoft) and Divergent (According to Cisco Talos) has been infected in Windows computers across the world.These malware are distributed through malicious ads that forced downloaded HTA (HTML application) files on computers.Installing the malware is a multi step process that includes downloading Excel, JavaScript, and PowerShell scripts.

by microsoft

According to the researchers Nodersok malware is made up of several components.The PowerShell component forces to disable Windows Defender and Windows Updates.Using another component malware can obtain System level access for further processes.

But the most terrible thing is Nodersok contains two components which are legitimate apps,WinDivert and Node.js. WinDivert is very popular among network engineers for capturing and interacting with network packets. Node.js is a well-known developer tool for running JavaScript on web servers.These two legitimate apps use to start a SOCKS proxy on infected hosts.

According to the researchers these proxies perform click-fraud and deploy malicious traffic on infected hosts.And also Nodersok’s creators could, at any point, deploy other modules to perform additional tasks, or even deploy secondary malware payloads like ransomware or banking Trojans.

Microsoft and Cisco warn users to not to run unknown HTA files they find on their computers.While Windows Defender should be able to identify and block Nodersok, the malware is a bit slippery because it leverages legitimate infrastructure, according to Microsoft.Although  this malware uses legitimate apps and make harder for classic signature-based antivirus programs to detect.

  For more details read the blogs posted by windows and Cisco Talos.

Leave a Reply

Your email address will not be published. Required fields are marked *