Nodersok malware uses its own LOLBins, turns PCs into proxy zombies

New fileless Nodersok malware brings Node.js and WinDiver LOLBins to operate a click-fraud scheme

Nodersok malware uses its own LOLBinsMicrosoft security research team discovered a new strain of fileless malware that imports its own LOLBins - Node.js and WinDivert

New dangerous malware strain has been spotted in the wild. Named Nodersok by Microsoft[1] and Divergent by Cisco Talos,[2] this fileless malware[3] downloads Node.js component and leverages an open-source utility WinDivert in order to turn the infected computers into proxy zombies that commit click-fraud.

Microsoft claims that fileless malware is among the hardest to tackle for cybersecurity solutions, as it uses legitimate applications inside the computer to execute malicious commands. This particular technique is often referred to as living-off-the-land[4] or LOLBins by experts.

However, Nodersok is different in this regard, as it imports its own LOLBins to perform malicious changes. As Microsoft researchers explain, the imported tools are not malicious or flawed, but can still be exploited by malware:

Like any LOLBin, these tools are not malicious or vulnerable; they provide important capabilities for legitimate use. It’s not uncommon for attackers to download legitimate third-party tools onto infected machines (for example, PsExec is often abused to run other tools or commands). However, Nodersok went through a long chain of fileless techniques to install a pair of very peculiar tools with one final objective: turn infected machines into zombie proxies.

The infection and operation process of Nodersok

Researchers found Nodersok quite exceptional malware not only due to its sophisticated fileless techniques but also the usage of the network infrastructure in order to prevent its detection. Nevertheless, Microsoft managed to spot the suspicious activities as soon as MSHTA.exe was flagged on the infected users' Windows machines, and other irregularities prompted further investigation.

The infection starts as soon as victims stumble upon booby-trapped ads that would automatically download a malicious HTA file. Once users are tricked into opening the file, a multi-stage infection process is triggered, which involves using JavaScript (executed outside of the browser), MS Excel document, and PowerShell commands.

Nodersok is modular malware, meaning that it leverages different components to perform different tasks. For example, PowerShell module tries to disable Windows Defender and Windows Update upon installation, while other components try to gain elevated permissions, usually to system level.

The imported LOLBins are used for a different purpose – Node.js component handles traffic communications, while WinDivert executes JavaScript outside the browser. Both of them, however, are used to establish a SOCKS proxy on the host machines.

The purpose of SOCKS proxy establishment differs on Microsoft's and Cisco Talos' reports. Microsoft claims that malware uses the component to transmit malicious traffic, while Cisco Talos researchers believe that it is used to commit click fraud:

The all_socks component is a NodeJS-based Socket.IO client that is commanded to navigate to arbitrary web pages by the attacker ostensibly for monetization and click fraud purposes.

Nodersok targets United States and Europe – protect yourself

First seen in July 2019, Nodersok targeted mostly targeted the US users, although Europeans were affected as well:

  • United States 60%
  • United Kingdom 21%
  • Germany 8%
  • Italy 5%
  • France 3%
  • Sweden 1%
  • Others 2%

While most of the infected computers belonged to regular users, 3% of infections occurred in the corporations from mostly education section (42%), although healthcare, financial, retail and other sectors were affected as well.

Even though Microsoft and Cisco Talos researchers disagree on the SOCKS proxy functionality of malware, it does not really matter for the end users, as it is a significant security threat for them. Because Nodersok is a sophisticated threat, the attacks could implement other modules into it, such as uploading other malicious software or harvesting banking details and other sensitive information.

Microsoft says that thousands of users already got infected with the threat within the past few weeks, so it is vital to keep an eye on malicious .HTA files downloaded automatically. While the fileless infection method and use of legitimate applications make the threat extremely hard to detect by security solutions, its post-infection operation can be flagged by most anti-malware tools.

Fileless malware seems to be an increasing threat that increases the challenge for AV makers of detecting it and protecting users. Just a few months ago, Microsoft also released a report another fileless malware Astaroth.[5]

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions