Microsoft and Cisco have discovered a new malware that has infected thousands of PC across the US and Europe. Strangely, the pair don’t agree on exactly what it does, with Cisco instead calling the threat ‘Divergent’.
Both companies published their findings in a blog post on Thursday. Microsoft believes Nodersok is used to “turn infected machines into zombie proxies”. It does via a chain of fileless and difficult to detect techniques that the company was able to flag with its Windows Defender ATP software.
“While the file aspect of the attack was very tricky to detect, its behavior produced a visible footprint that stands out clearly for anyone who knows where to look. With its array of advanced defensive technologies, Microsoft Defender ATP, defeated the threat at numerous points of dynamic detection throughout the attack chain,” said the tech giant.
Nodersok has been spreading during the past few weeks, with 60% of attacks in the US and 21% in the UK. The sector most affected seems to be education, which accounted for 42% of the attacks.
Piggybacking off Non-Malicious Software
To perform the attack, the malware uses NodeJs and a utility called WinDivert, both legitimate programs. Unlike Microsoft, Cisco Talos was unable to break down the attack chain, but analysis of the delivery mechanism leads the team to believe it’s a device for click fraud.
“Divergent is a malware family designed to generate revenue for attackers via the use of click-fraud, similar to other click-fraud malware such as Kovter,” said the company.
Microsoft says the attack begins when the user downloads and runs a HTML application (HTA) file named Player1566444384. It says after execution, telemetry always points towards suspicious advertisement services, but that these are used as an infection vector.
Both Cisco and Microsoft agree that the code is still in the early stages of development, but works. The node.js-based proxy engine connects back to a command and control center and receives HTTP proxy requests back to it.
Thankfully, both Windows Defender ATP and Cisco’s Advanced Malware Detection can block the malware, despite its stealth. As always, general users should be cautious of files sent them without a prior arrangement and avoid suspicious websites.