Nodersok malware turns PCs into potential "proxy zombies"

News by Rene Millman

Fileless attacks use legitimate code to infect systems. The malware also uses computer's own LOLBins to infect machines

Security researchers have discovered a new malware campaign that uses the PC's own binaries to infect it as well as its own legitimate software.

Dubbed Nodersok by the Microsoft Defender ATP Research Team, the malware abuses legitimate tools, also called living-off-the-land binaries (LOLBins), that already exist on machines. 

The malware also uses its own LOLBins to infect machines; Node.exe, the Windows implementation of the popular Node.js framework, and WinDivert, a network packet capture and manipulation utility.

The researchers said that these LOLBin tools are not malicious or vulnerable; they provide important capabilities for legitimate use. 

"However, Nodersok went through a long chain of fileless techniques to install a pair of very peculiar tools with one final objective: turn infected machines into zombie proxies," they said in a blog post.

The malware has hit thousands of machines in the last several weeks, with most targets located in the US and Europe. Researchers said that three percent of encounters are observed in organisations in sectors such as education, professional services, healthcare, finance, and retail.

Researchers said that the campaign is particularly interesting not only because it employs advanced fileless techniques, "but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar".

"We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry. In the days that followed, more anomalies stood out, showing up to a ten-fold increase in activity," researchers added.

Nodersok goes through a few stages to infect machines. It begins when a victim browses malvertising or clicks on a malicious link that runs an HTA file. The JavaScript in the HTA file downloads a second-stage component, an XSL file containing a JavaScript-based script or a standalone JavaScript file.

This then launches a PowerShell command by hiding the encoded command test inside an environmental carriable. This then downloads and runs more encrypted commands to disable Windows Defender and elevate privileges. 

More code runs Windivert and Node.exe. Finally app.js is executed to turn the machine into a proxy.

Researchers said that like an earlier campaign, "every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys)."

"All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk," they added.

Patrice Puichaud, senior director, SE, EMEA & APAC at SentinelOne, told SC Media UK that the key is to look at the behaviour of processes executing on the endpoint rather than inspecting the files on the machine. 

"This is effective because, despite the large and increasing number of malware variants, they operate in very similar ways. The number of malware behaviours is considerably smaller than the number of ways a malicious file might look, making this approach suitable for prevention and detection," he said.

Jake Moore, cybersecurity specialist at ESET, told SC Media UK that to prevent these specific attacks, companies should test their own employees’ cyber-risk with simulated phishing emails.  "If carried out in a thoughtful way where no one will be vindicated, it can have some very positive effects and reduce attacks such as this one," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews