Nodersok malware campaign is infecting thousands, Microsoft warns

Microsoft’s threat detection team has issued a warning over a new fileless malware campaign, dubbed Nodersok, which already appears to have infected many thousands of Windows endpoints – mostly in the US and the UK – following a spike in activity detected between 5 and 11 September.

Microsoft said it uncovered the campaign in mid-July, when it saw suspicious patterns emerge through its Defender Advanced Threat Protection (ATP) telemetry. These related to anomalous usage of an executable file.

“The majority of targets are consumers, but about 3% of encounters are observed in organisations in sectors like education, professional services, healthcare, finance and retail,” said Microsoft principal security researcher Andrea Lelli in a blog post.

Nodersok differs from other malware campaigns in that it delivers two unusual but legitimate tools, said Microsoft. These are Node.exe, the Windows implementation of the Node.js framework, and WinDivert, a network packet capture and manipulation utility.

“Part of the slyness of fileless malware is its use of living-off-the-land techniques which refer to the abuse of legitimate tools, also called living-off-the-land binaries (LOLbins) that already exist on machines through which malware can persist, move laterally, or serve other purposes,” wrote Lelli.

“But what happens when attackers require functionality beyond what is provided by standard LOLBins? Nodersok decided to bring its own LOLBins.

“Like any LOLBin, these tools are not malicious or vulnerable; they provide important capabilities for legitimate use. It’s not uncommon for attackers to download legitimate third-party tools onto infected machines. However, Nodersok went through a long chain of fileless techniques to install a pair of very peculiar tools with one final objective: turn infected machines into zombie proxies.”

Lelli added: “While the file aspect of the attack was very tricky to detect, its behaviour produced a visible footprint that stands out clearly for anyone who knows where to look.”

Nodersok victims become infected when they download and run an HTML application called Player156444384.hta (these digits vary), most likely through compromised online advertisements through legitimate content delivery service Cloudfront.

In a multiple-stage process – which includes the launch of several instances of PowerShell to run additional malicious modules which, among other things, disable both Windows Defender Antivirus and Windows updates – the infection culminates in a final JavaScript payload written for Node.js, which turns the endpoint into a potential proxy zombie.

“Irrelevant of method of infection, the advice for protection against file-based or fileless malware hasn’t changed much over the years,” said Gavin Millard, vice-president of intelligence at Tenable.

“Reduce your attack surface by patching vulnerabilities targeted by malware, have robust inbound mail and web filtering to identify and quarantine questionable attachments, educate users on responsible execution of files, have up-to-date malware defence, and ensure systems are configured in a secure manner.

“No matter the sophistication of malware, by focusing on reducing the attack surface, most can be easily mitigated with foundational security controls working effectively.”

Millard added: “There has been a spate of privilege elevation vulnerabilities affecting Windows systems of late that should also be patched, as more sophisticated malware will attempt to gain a higher level of access before installing all their wares.”