Cybersecurity experts are warning the public about fileless malware that take advantage of legitimate computer programs to spread infections to thousands of PCs.

Microsoft and Cisco Talos recently came out with separate reports outlining how certain malicious software make use of existing tools to launch cyberattacks. These types of malware often target the NodeJS and WinDivert programs often seen in PCs.

The Threat Of Nodersok/Divergent Malware

While these types of malware are called differently by the two tech companies (Microsoft refers to them as Nodersok while Cisco Talos refers to them as Divergent), they have the same nefarious purpose. They forcibly install an HTML application (HTA) on users' computers.

Examples of Nodersok/Divergent malware were first encountered last summer. They were likely distributed across the internet using malicious ads.

Users who were affected by these types of malware unwittingly ran the HTA files, causing a multi-stage infection process that leveraged existing Excel, JavaScript, and PowerShell scripts. This, in turn, opened the door for Nodersok/Divergent to infect computers.

Nodersok/Divergent has several different components that their unique purposes. One of them is a PowerShell module that deactivates Windows Defender and Windows Update. Another component hijacks PCs to grant the malware with SYSTEM-level permissions.

However, the malware also makes use of legitimate programs, such as Node.js and WinDivert. NodeJS is an app that allows JavaScript to be executed outside of a web browser, while WinDivert is used to capture and interact with network packets.

Nodersok/Divergent reportedly uses Node.js and WinDivert to start a SOCKS proxy on infected PCs, though it's not exactly certain what the proxy is used for.

Microsoft believes the malware leverages the affected computers to turn them into proxies for relaying malicious traffic. Meanwhile, Cisco Talos claims that the resulting proxies are used by the malware to perform click-fraud.

Despite conflicting views on Nodersok/Divergent's impact, it's undeniable that merely having the malware in peoples' computers is already alarming enough. Hackers can use the malware to launch other modules that perform additional tasks or send secondary malicious programs such as banking trojans or ransomware.

How To Protect PCs Against Nodersok/Divergent Malware

To keep Nodersok/Divergent and other malware from infecting PCs, users are strongly advised not to run any HTA files they may come across in their computers. This is especially true if they can't tell where the program exactly came from.

Some web page automatically downloads files, even without the user's permission. This should be avoided as much as possible, even if users recognize the extension used by the files.

Microsoft said thousands of computers across the EU and the United States have already been infected over the past few weeks. Majority of these infections occurred in September alone.

ⓒ 2021 All rights reserved. Do not reproduce without permission.