Microsoft: Thousands Of Windows PCs Affected By 'Nodersok Malware'

Warning! Thousands of Windows PCs across the world have been infected with a new malware called 'Nodersok' that downloads and installs a copy of the Node.js framework to convert infected systems into proxies and perform click-fraud.

Nodersok Malware

The malware, named 'Nodersok' was first spotted over the summer, which distributed via malicious ads that forcibly downloaded HTA (HTML application) file to the victim's machine, which, when executed, initiates a multi-step infection process that eventually ends with the installation of Noders on the system. Malicious code then uses infected workstations to proxy for harmful traffic, but according to Cisco, click fraud(click fraud). Experts point out that the pest is still under development so that it can expand its capabilities at any time, which is a serious concern ─ given its prevalence. Windows Defender is already able to identify the malware, but users are advised to avoid running any HTA file, especially if they cannot accurately determine its source.

Affected Users who found and ran these HTA files started a multi-stage infection process involving Excel, JavaScript, and PowerShell scripts that eventually downloaded and installed the Nodersok malware.

Technology giant Microsoft, described in a report that the 'Nodersok Malware' as file-less as it uses living-off-the-land binaries (LOLBins) tapping into existing tools and functionalities in a machine and downloads legitimate modules like Windivert.dll/sys and Node.exe from the Node.JS framework to carry out its malicious work. At no point are malicious files or executables ever written to an infected machine's disk.

Every step of #Nodersok's infection chain runs only legitimate executables. All relevant functionalities reside in scripts and shellcodes that come in encrypted and are decrypted and run while only in memory. More in our analysis of this #fileless threat: https://t.co/d4XC5dQeg7

— Microsoft Security Intelligence (@MsftSecIntel) September 27, 2019

Nodersok Attack

1. The Nodersok Attack is initiated when a user downloads an HTML application (HTA) file named Player1566444384.hta by clicking on a malicious link. 
2. The digits could be different for different instances of attack. The file packs a JavaScript code which downloads the second component of the malware — an XSL file. 
3. This file runs a PowerShell command to download additional malicious modules and the last stage involves dropping the JavaScript payload with some Node.js modules.
4. The last JavaScript for the Node.js framework turns the infected system into a “proxy zombie” which can be used by bad actors to perform malicious activities.

Nodersok Malware Attack Overview:

Microsoft

The Nodersok attack has been annoying thousands of users in the last several weeks, with most targets located in the United States and Europe. The majority of targets are consumers, but about 3% of encounters are observed in organizations in sectors like education, professional services, healthcare, finance, and retail.

Education is the major sector affected by this Windows malware with a 42% share.