Microsoft and Cisco Talos identified a new malware which has affected thousands of computers in US as well as in Europe. The companies stated that this malware has an ability to turn the PCs into proxies for performing malicious activity.
This malware was named by Microsoft as Nodersok while the Cisco Talos called it Divergent. This threat has many of its own components to carry out malicious activities but it also takes advantage of existing tools.
It should be mentioned that this malware leverages widely used Node.js framework and WinDivert, which is a user-mode packet capture-and-divert package for Windows 2008, Windows 7, Windows 8, Windows 10 and Windows 2016 to turn infected machines into proxies for malicious behaviour.
Microsoft and Cisco Talos both the companies released the threat report on this malware on Wednesday, September 25 in separate blog posts.
As per the Microsoft researchers once Nodersok turns the systems into unwitting proxies "it uses them as "a relay to access other network entities (websites, C&C servers, compromised machines, etc.), which can allow them to perform stealthy malicious activities."
While both the companies had a different opinion as to exactly what it does, Cisco Talos researchers said that "This malware can be leveraged by an attacker to target corporate networks and appears to be primarily designed to conduct click-fraud. It also features several characteristics that have been observed in other click-fraud malware, such as Kovter."
The company believes that this malware is still to be in active development.
However, Microsoft stated that even though Windows Defender is able to identify and block Nodersok, detecting this malware could be a little bit difficult because it leverages legitimate infrastructure.
In addition, Microsoft said in the post that this threat campaign is very interesting not only because "it employs advanced fileless techniques, but also because it relies on an elusive network infrastructure that causes the attack to fly under the radar."
But Nodersok's behaviour gives an opportunity to the researchers who would be able to detect it at some point.
However, Microsoft advised people to avoid running HTA files found on their systems, especially those files which they don't remember downloading or the origin of which they can't identify.