New #Nodersok #malware has infected thousands of PCs

Brink

Staff member
mvp
Thousands of Windows computers across the world have been infected with a new strain of malware that downloads and installs a copy of the Node.js framework to convert infected systems into proxies and perform click-fraud.

The malware, named Nodersok (in a Microsoft report) and Divergent (in a Cisco Talos report), was first spotted over the summer, distributed via malicious ads that forcibly downloaded HTA (HTML application) files on users' computers.

Users who found and ran these HTA files started a multi-stage infection process involving Excel, JavaScript, and PowerShell scripts that eventually downloaded and installed the Nodersok malware.

The malware itself has multiple components, each with its own role. There's a PowerShell module that tries to disable Windows Defender and Windows Update, and there's a component for elevating the malware's permissions to SYSTEM level.

But there are also two components that are legitimate apps -- namely WinDivert and Node.js. The first is an app for capturing and interacting with network packets, while the second is a well-known developer tool for running JavaScript on web servers.

According to Microsoft and Cisco reports, the malware uses the two legitimate apps to start a SOCKS proxy on infected hosts. But here is where the reports diverge. Microsoft claims the malware turns infected hosts into proxies to relay malicious traffic. Cisco, on the other hand, says these proxies are used to perform click-fraud.

Nevertheless, malware is malware, and it's not a good sign when someone gets infected, despite the output. Just like any other malware strain built on a client-server architecture, Nodersok's creators could, at any point, deploy other modules to perform additional tasks, or even deploy secondary malware payloads like ransomware or banking trojans.

Since Microsoft found the malware, Windows Defender should also be able to spot it.

To prevent infections, the best advice is that users not run any HTA files they find on their computers, especially if they don't know the files' precise origin. Files downloaded from a web page out of the blue are always a bad sign and shouldn't be trusted, regardless of extension.

According to Microsoft telemetry, Nodersok has managed to already infect "thousands of machines in the last several weeks." Most of the infections have taken place this month, and have hit US and EU-based users, the company said...

Read more:
 

My Computers

System One System Two

  • Operating System
    Windows 10 Pro 64-bit
    Manufacturer/Model
    Custom
    CPU
    Intel i7-8700K 5 GHz
    Motherboard
    ASUS ROG Maximus XI Formula Z390
    Memory
    16 GB (8GBx2) G.SKILL TridentZ DDR4 3200 MHz
    Graphics Card(s)
    ASUS ROG-STRIX-GTX1080TI-O11G-GAMING
    Sound Card
    Integrated Digital Audio (S/PDIF)
    Monitor(s) Displays
    3 x 27" Asus VE278Q
    Screen Resolution
    1920x1080
    Hard Drives
    1TB Samsung 970 EVO Plus M.2,
    250GB Samsung 960 EVO M.2,
    6TB WD Black WD6001FZWX
    8TB WD MyCloudEX2Ultra NAS
    PSU
    Seasonic Prime Titanium 850W
    Case
    Thermaltake Core P3
    Cooling
    Corsair Hydro H115i
    Mouse
    Logitech MX Master
    Keyboard
    Logitech wireless K800
    Internet Speed
    1 Gb/s Download and 35 Mb/s Upload
    Other Info
    Logitech Z625 speaker system,
    Logitech BRIO 4K Pro webcam,
    HP Color LaserJet Pro MFP M477fdn,
    Linksys EA9500 router,
    Arris SB8200 cable modem,
    APC SMART-UPS RT 1000 XL - SURT1000XLI,
    Lumia 1520 phone
  • Operating System
    Windows 10 Pro
    Manufacturer/Model
    HP Envy Y0F94AV
    CPU
    i7-7500U @ 2.70 GHz
    Memory
    16 GB DDR4-2133
    Graphics card(s)
    NVIDIA GeForce 940MX
    Sound Card
    Conexant ISST Audio
    Monitor(s) Displays
    17.3" UHD IPS touch
    Screen Resolution
    3480 x 2160
    Hard Drives
    512 GB M.2 SSD

wither 3

Vista Guru
Gold Member
I wonder if software like Malwarebytes has been updated yet to detect it. I went to their forum and searched on it but came up empty.
 

My Computer

System One

  • Operating System
    Vista Home Premium 64 bit SP2
    Manufacturer/Model
    Cyberpower
    CPU
    Intel Quad CPU Q6700 2.67 GHZ
    Motherboard
    NVIDIA 780i
    Memory
    4 GB
    Graphics Card(s)
    MSI GTX 560 TI Twin Frozr
    Sound Card
    Sound Blaster SB Audigy
    Monitor(s) Displays
    Viewsonic VG2436
    Screen Resolution
    1920x1080p
    Hard Drives
    Samsung HD 105SI
    WDC WD20
    Case
    Apevia XJupiter
    Cooling
    air
    Mouse
    Logitech MX 600
    Keyboard
    Logitech MX 3200
    Internet Speed
    30 Mbps

lmacri

Vista Pro
I wonder if software like Malwarebytes has been updated yet to detect it. I went to their forum and searched on it but came up empty.
Hi wither 3:

See David H. Lipman's post # 2 in the Malwarebytes 3 forum thread Nodersok. I assume that comment only applies to Malwarebytes Premium users with a paid subscription who have the real-time Exploit Protection module enabled. The Malwarebytes Lab blog also posted a 2-part series of articles in late 2018 about how anti-exploit can help mitigate attacks from this type of malware - see Fileless Malware: Getting the Lowdown on This Insidious Threat.
----------
32-bit Vista Home Premium SP2 * Norton Security Deluxe v22.15.2.22 * Malwarebytes Free v3.5.1-1.0.365
 

My Computer

System One

  • Operating System
    32-bit Vista SP2 Home Premium
    Manufacturer/Model
    HP Pavilion dv6835ca
    CPU
    Intel Core2Duo T5550 @ 1.83 GHz
    Motherboard
    Quanta 30D2 (U2E1)
    Memory
    3 GB RAM
    Graphics Card(s)
    NVIDIA GeForce 8400M GS
    Sound Card
    Realtek High Definition Audio
    Hard Drives
    250 GB SATA Western Digital Scorpio WD2500BEVS 5400 rpm
    Internet Speed
    5 MBps
    Other Info
    Norton Security Deluxe v22.15.2.22

wither 3

Vista Guru
Gold Member
Hi Imacri-

Thanks for the information. Very enlightening.

For information, I was finally able to install v3.5.1. See-
Malwarebytes no longer supported in Vista?.

Not sure it does anything more than v2.2.1 was doing but that's a discussion for that thread.
 

My Computer

System One

  • Operating System
    Vista Home Premium 64 bit SP2
    Manufacturer/Model
    Cyberpower
    CPU
    Intel Quad CPU Q6700 2.67 GHZ
    Motherboard
    NVIDIA 780i
    Memory
    4 GB
    Graphics Card(s)
    MSI GTX 560 TI Twin Frozr
    Sound Card
    Sound Blaster SB Audigy
    Monitor(s) Displays
    Viewsonic VG2436
    Screen Resolution
    1920x1080p
    Hard Drives
    Samsung HD 105SI
    WDC WD20
    Case
    Apevia XJupiter
    Cooling
    air
    Mouse
    Logitech MX 600
    Keyboard
    Logitech MX 3200
    Internet Speed
    30 Mbps
Top