top of page

Thousands of PCs Infected with Windows Malware: Here's What To Do

Thousands of PCs Infected with Windows Malware: Here's What To Do




Microsoft and Cisco Talos both published comprehensive reports about the malware, explaining how the attack gets users to download a malicious HTML file then uses the popular Node.js framework (which executes Javascript outside a web browser) and WinDivert (a network packet capture tool) apps to infect and take control of a computer. The infected HTML application, or HTA, is typically distributed through malicious ads sent through legitimate content delivery services, like Amazon Cloudfront


Once the file runs, it downloads additional Javascript code that eventually starts PowerShell and writes a malicious script. That happens multiple times, with each instance of PowerShell leading to the next attack, starting with disabling Windows Defender Antivirus and ending with a JavaScript payload that runs on node.exe.  The final JavaScript payload turns the infected device into a proxy zombie that can be used by an attacker to execute various malicious activities.


Microsoft calls the malware Nodersok while Cisco Talos calls it Divergent. Either way, the attack is said to primarily target everyday consumers in the United States and Europe and Microsoft says 3% of encounters were seen by organizations in the education, healthcare or financial sectors.

There are conflicting theories as to what the malware actually does. Cisco says the malware was designed to generate revenue using click-fraud, a technique for generating fraudulent charges that costs advertisers billions of dollars each year. Microsoft, on the other hand, believes the malware was created as a relay to access network entities and plant malicious code. 

Whatever the case, the attack is quite stealthy as it uses techniques associated with "fileless" malware, or malware that leaves few traces behind for researchers to discover. 

"The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar," Microsoft wrote in a blog post. "We uncovered this campaign in mid-July, when suspicious patterns in the anomalous usage of MSHTA.exe emerged from Microsoft Defender ATP telemetry. In the days that followed, more anomalies stood out, showing up to a ten-fold increase in activity."  

How to protect your PC from Nodersok/Divergent 

As elusive as this newly discovered malware might be, both Microsoft and Cisco promise that their services--- Windows Defender and Cisco Advanced Malware Protection (AMP), respectively --- can spot and stop the malware. However, not every PC is equipped with those anti-malware defenders and third-party solutions have a tricky time with this particular malware.

If you want to be 100% protected, Microsoft suggests that you don't run HTA (or HTML applications) on your Windows systems, especially if they can't trace them back to a legitimate owner.

13 views0 comments

Comments


bottom of page