An attack campaign targeting primarily the U.S. and Europe is leveraging two legitimate tools, the Node.js framework and WinDivert, to install "fileless" malware that appears to either turn victims' systems into proxies or perpetrates click fraud.
Researchers from both Microsoft Corporation and Cisco Talos yesterday filed separate reports warning of this campaign, which they have named Nodersok or Divergent, respectively.
Microsoft, which discovered the campaign in mid-July, said thousands of machines have been targeted in the last several weeks alone, the majority of which belong to consumers. However, roughly three percent of attacks have hit organizations, particularly educational institutions. The U.S. has been targeted 60 percent of the time, followed by the U.K. (21 percent), Germany (8 percent), Italy (5 percent), France (3 percent) and Sweden (1 percent).
"The campaign is particularly interesting not only because it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar," said Microsoft's blog post report, authored by the Microsoft Defender ATP Research Team.
Users are typically infected while browsing online, either by clicking on a malicious HTA file or when served a malvertisement. The JavaScript code in the HTA file downloads a second-stage component, which in turns launches PowerShell commands by hiding the encoded command text inside of an environment variable. These commands then download and execute multiple encrypted components with various functions.
Among these components are Node.exe from Node.JS -- a framework that can execute JavaScript outside of a web browser -- and a shellcode to run WinDivert (Windows Packet Divert), a user-mode packet capture-and-divert package. "The use of NodeJS is not something commonly seen across malware families," said Talos in its own blog post report.
Microsoft and Talos diverge on what the actual purpose of Divergence is. The former believes its purpose is to turn infected machines into zombie proxies, while the latter believes click fraud is the end game, noting that the malware is similar to other fileless malware families, especially Kovter. Fileless malware programs that use legitimate tool to function are considered a particularly troublesome threat because it allows attackers to reduce their footprint and give threat researchers little forensic evidence to work with.
