Divergent or Nodersok? A new fileless malware emerges in the wild.
The payload termed “Divergent” by Cisco Talos Researchers and “Nodersok” by Microsoft utilizes Node.exe – an implementation by Microsoft of NodeJS – along with a legitimate program named WinDivert – a packet capture tool – to make up the malware.
According to Microsoft, thousands of computers have been infected, particularly from the USA and Europe. However, only 3% of the targets make up organizations and the rest happen to be consumers – All that without being detected.
The way it evades detection has also been seen in other such attacks before and can be classified into the fileless malware category. Users are first made to download an HTML application that from the onslaught is less suspicious than what an executable file would be and helps in executing the attack.
Furthermore, as legitimate programs such as WinDivert are utilized as a part of techniques known as “living off the land”, this also helps it maintain a low cover avoiding coming under the radar of antivirus signatures. To add to this, the malware disables Windows Defender serving as an effective guard against detection.
But on the other hand, when it comes to its motive, we are presented with conflicting explanations. Microsoft has stated that the malware’s purpose is to perform malicious activities stealthily whereas Talos argues that it is used for click fraud, attributable to the similarity found with other such malware of this nature such as Kovter. Microsoft though has also found similarities stating that:
Like the Astaroth campaign, every step of the infection chain only runs legitimate LOLBins, either from the machine itself (mshta.exe, powershell.exe) or downloaded third-party ones (node.exe, Windivert.dll/sys). All of the relevant functionalities reside in scripts and shellcodes that are almost always coming in encrypted, are then decrypted, and run while only in memory. No malicious executable is ever written to the disk.
In conclusion, this attack method signals users across enterprises and home networks to take stricter precautions. To practically translate such a warning, we need not only be wary of executable files as the traditional lessons in cybersecurity go but also be ready to believe that a file of any other nature can also be used potentially as malware.