Microsoft has discovered a new malware campaign responsible for infecting thousands of Windows PCs around the world.
The malware is fileless, according to Microsoft, and uses living-off – the-land binaries (LOLBins) to plug into leaving Windows system instruments and features. Nodersok then launches from the Node. JS system lawful modules like Windivert.dll / sys and Node.exe to perform its job. Nevertheless, false documents and executables are never published to the computer of an altered machine.
After the system has been fully infected, Nodersok can turn it into a zombie-like proxy machine used to launch other cyber attacks and even create a relay server that can give hackers access to command and control servers as well as other compromised devices. This helps hackers hide their activity from security researchers looking for suspicious behavior.
Microsoft scientists described in their blog post how they found the campaign for Nodersok malware, stating:
Not only because it uses sophisticated fileless methods, the campaign is especially interesting, but also because it depends on an elusive network infrastructure that causes the attack to fly under the radar. This campaign was discovered in mid-July when suspect patterns appeared from Microsoft Defender ATP telemetry in the anomalous use of MSHTA.exe
However Microsoft has updated its free antivirus software Microsoft Defender to identify the malware for those worried about their systems being infected by Nodersok.