Skip to main content

New Windows Malware Hides in Plain Sight

(Image credit: Shutterstock)

It seems like everything needs a brand these days. This can make it easy to refer to something that would otherwise be cumbersome to identify, which is why many security researchers have started naming their discoveries, but it can also lead to some confusion. That's exactly what happened earlier this week when the Microsoft Defender Advanced Threat Protection Research Team and Cisco Talos gave the same malware two different names.

Microsoft named the malware Nodersok; Cisco Talos named it Divergent. Regardless of what it's called, the new malware uses "living-off-the-land techniques" that repurpose legitimate tools for nefarious purposes. Those repurposed tools are called "living-off-the-land binaries," or LOLBins for short, and they allow this so-called fileless malware to evade the detection features employed by the vast majority of Windows security products.

Here's what Microsoft said about Nodersok's method of infection:

"Like the Astaroth campaign, every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys). All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk."

In this malware's case, it installs Node.exe and WinDivert as its LOLBins. These are legitimate apps: the former is "the Windows implementation of the popular Node.js framework used by countless web applications," as Microsoft put it, while the latter is "a powerful network packet capture and manipulation utility." Both are typically harmless, but their features allowed Nodersok's creators to establish their fileless malware.

Microsoft said it saw the first indicators of Nodersok in mid-July, and that "it's been pestering thousands of machines in the last several weeks, with most targets located in the United States and Europe." Most of the affected systems are consumer devices. Cisco Talos said it believes the malware "is currently under active development" because it "has observed multiple versions of the loader being used to install" the malware with two names.

The malware's name isn't the only thing Microsoft and Cisco Talos can't agree on. While they agreed that Nodersok / Divergent spread via malicious ads that forced a download onto a system that could then install the required LOLBins, they differed on the malware's purpose. Microsoft thought it was to relay malicious traffic; Cisco Talos claimed the malware's operators wanted to use it for click fraud. More info can be found in the companies' disclosures.