When discovering a new malware attack, it is always good to give it a scary name. So, how does “zombie proxies” sound? That's what Microsoft and Cisco's Talos researchers have called a new strain of malware that infects Windows PCs.
The attack method turns PCs into the so-called zombie proxies through normally legitimate programs. Microsoft says the attack is already in the wild and has infected multiple computers in Europe and the United States.
In separate reports last week, Microsoft and Cisco Talos highlighted the new attack method. Aside from banding the term zombie proxies, Microsoft calls the attack “Nodersok”. Cisco Talos has named the new cyber threat “Divergent”.
“The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar.
“All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk,” a Microsoft blog post reads.
Because the malware can disable Windows Defender, the attacker can take control of the PC. Microsoft and Cisco don't agree on what the objective of the attack is. Redmond says it is likely bad actors use the zombie proxies to get onto networks and conduct stealth malware attacks.
On the other hand, Cisco Talos says the malware is similar to virus attacks that target click-fraud. Whichever is correct, Microsoft says the attack is already successful and has been observed on thousands of machines this month.
The Nodersok campaign has been pestering thousands of machines in the last several weeks, with most targets located in the United States and Europe. The majority of targets are consumers, but about 3% of encounters are observed in organizations in sectors like education, professional services, healthcare, finance, and retail.