A recently observed malware delivery campaign employs advanced fileless techniques and an elusive network infrastructure that allows it to remain largely undetected.
The campaign, which Microsoft refers to as Nodersok, abuses two legitimate tools that it drops onto the infected machines, namely Node.exe, the Windows implementation of the popular Node.js framework, and WinDivert, a network packet capture and manipulation utility.
Over the past several weeks, thousands of machines were impacted by the campaign, most of them located in the United States and Europe. Around 3% of the infected systems are within organizations, but the attack has mainly targeted consumers, Microsoft says.
The attack starts with the delivery of an HTML Application (HTA), most likely through compromised advertisements. The file attempts to connect to a randomly named domain to download additional JavaScript code that attempts to retrieve content from the command and control (C&C) server.
The downloaded file then attempts to contact the remote C&C domain to download an RC4-encrypted file and a decryption key. The file is an additional JavaScript snippet that starts a malicious PowerShell script.
The infection process continues to the launch of additional PowerShell scripts to download and run several encrypted modules that are decrypted on the fly before being executed. One of the modules attempts to disable Windows Defender Antivirus and Windows updates, then run binary shellcode that attempts elevation of privilege.
One of the PowerShell stages downloads the legitimate node.exe tool, while another drops WinDivert packet capture library components. Another PowerShell component executes a shellcode to use WinDivert for the filtering and modification of certain outgoing packets.
In the end, a JavaScript payload ..
Support the originator by clicking the read the rest link below.
