A new form of fileless malware has been discovered that uses legitimate Windows tools – living-off-the-land binaries or LOLBins – to conduct its malicious actions. While the use of LOLBins by fileless malware is nothing new, in this case the malware uses standard tools and also downloads its own LOLBIns.
The first – Node.exe – is the Windows implementation of the Node.js framework which is typically used by web applications. The second is a network packet capture and manipulation utility called WinDivert.dl/sys. These tools are not inherently malicious as they are genuine Windows utilities intended for legitimate uses; however, the new fileless malware uses these tools to turn infected machines into zombie proxies for malicious traffic.
These unusual LOLBins are downloaded through a complex series of steps intended to evade detection. As with other fileless malware variants, all LOLBins are run in the memory and no executables are written to the disk.
The new malware threat was detected by the Microsoft Defender ATP Research Team and researchers at Cisco Talos, with the former naming the threat Nodersok and the latter naming it Divergent.
The campaign distributing Nodersok/Divergent was first detected by Microsoft in mid-July. Infections increased at the end of August and spiked in the first week of September. Thousands of devices have been attacked over the past few weeks, with the campaign focusing on personal users in the United States (60%) and Europe rather than businesses. Only around 3% of attacks have targeted companies, with those attacks mostly focused on the education sector (42%), business and professional services (8%), healthcare/pharma (7%), finance (7%), and retail (6%) sectors.
Cisco Talos researchers believe the primary purpose of the malware is for click fraud to generate clicks to boost website revenue. The campaign is focused on consumers, but the threat could be used to target corporate networks.
The attack starts with a user clicking a malicious link or via a malvertising redirect, which result in a drive-by download and execution of an HTA (HTML application). The HTA app incorporates JavaScript that launches a second stage XSL file containing a JavaScript Script or just a JavaScript file, which then uses PowerShell to download other malicious modules that capture data packets, disable Windows Defender, and create the proxy. Infected computers are then used as relay servers to provide access to C2 servers and compromised sites.
Both Cisco Talos and Microsoft have said their enterprise systems detect and block the threat, although the threat is unlikely to be detected by conventional anti-virus programs typically used by consumers.