Microsoft and Cisco Talos have released reports about the threat of a malware known as Nodersok/Divergent. This program often uses existing computer tools, such as NodeJS and WinDivert, to launch malicious behavior in PCs. ( Pixabay )
Cybersecurity experts are warning the public about fileless malware that take advantage of legitimate computer programs to spread infections to thousands of PCs.
Microsoft and Cisco Talos recently came out with separate reports outlining how certain malicious software make use of existing tools to launch cyberattacks. These malware often target the NodeJS and WinDivert programs often seen in PCs.
The Threat Of Nodersok/Divergent Malware
While the malware is called differently by the two tech companies - Microsoft refers to them as Nodersok while Cisco Talos refers to them as Divergent - they basically have the same nefarious purpose. They forcibly install HTML application (HTA) on users' computers.
Examples of Nodersok/Divergent malware were first encountered last summer. They were likely distributed across the internet using malicious ads.
Users who were affected by these malware unwittingly ran the HTA files, causing a multi-stage infection process that leveraged existing Excel, JavaScript, and PowerShell scripts. This in turn opened the door for Nodersok/Divergent to infect computers.
Nodersok/Divergent has several different components that their own unique purposes. One of them is a PowerShell module that deactivates Windows Defender and Windows Update. Another component hijacks PCs to grant the malware with SYSTEM-level permissions.
However, the malware also make use of legitimate programs, such as Node.js and WinDivert. NodeJS is an app that allows JavaScript to be executed outside of a web browser, while WinDivert is used to capture and interact with network packets.
Nodersok/Divergent reportedly uses Node.js and WinDivert to start a SOCKS proxy on infected PCs, though it's not exactly certain what the proxy is used for.
Microsoft believes the malware leverages the affected computers to turn them into proxies for relaying malicious traffic. Meanwhile, Cisco Talos claims that the resulting proxies are used by the malware to perform click-fraud.
Despite conflicting views on Nodersok/Divergent's impact, it's undeniable that merely having the malware in peoples' computers is already alarming enough. Hackers can use the malware to launch other modules that perform additional tasks, or send secondary malicious programs such as banking trojans or ransomware.
How To Protect PCs Against Nodersok/Divergent Malware
To keep Nodersok/Divergent and other malware from infecting PCs, users are strongly advised not to run any HTA files they may come across in their computers. This is especially true if they can't tell where the program exactly came from.
Some web page automatically download files, even without the user's permission. These should be avoided as much as possible, even if users recognize the extension used by the files.
Microsoft said thousands of computers across the EU and the U.S. have already been infected over the past few weeks. Majority of these infections occurred in September alone.
ⓒ 2018 TECHTIMES.com All rights reserved. Do not reproduce without permission.
Gloss