Cybersecurity experts are warning the public about fileless malware that take advantage of legitimate computer programs to spread infections to thousands of PCs.
Microsoft and Cisco Talos recently came out with separate reports outlining how certain malicious software make use of existing tools to launch cyberattacks. These types of malware often target the NodeJS and WinDivert programs often seen in PCs.
The Threat Of Nodersok/Divergent Malware
While these types of malware are called differently by the two tech companies (Microsoft refers to them as Nodersok while Cisco Talos refers to them as Divergent), they have the same nefarious purpose. They forcibly install an HTML application (HTA) on users' computers.
Examples of Nodersok/Divergent malware were first encountered last summer. They were likely distributed across the internet using malicious ads.
Nodersok/Divergent has several different components that their unique purposes. One of them is a PowerShell module that deactivates Windows Defender and Windows Update. Another component hijacks PCs to grant the malware with SYSTEM-level permissions.
Nodersok/Divergent reportedly uses Node.js and WinDivert to start a SOCKS proxy on infected PCs, though it's not exactly certain what the proxy is used for.
Microsoft believes the malware leverages the affected computers to turn them into proxies for relaying malicious traffic. Meanwhile, Cisco Talos claims that the resulting proxies are used by the malware to perform click-fraud.
Despite conflicting views on Nodersok/Divergent's impact, it's undeniable that merely having the malware in peoples' computers is already alarming enough. Hackers can use the malware to launch other modules that perform additional tasks or send secondary malicious programs such as banking trojans or ransomware.
How To Protect PCs Against Nodersok/Divergent Malware
To keep Nodersok/Divergent and other malware from infecting PCs, users are strongly advised not to run any HTA files they may come across in their computers. This is especially true if they can't tell where the program exactly came from.
Some web page automatically downloads files, even without the user's permission. This should be avoided as much as possible, even if users recognize the extension used by the files.
Microsoft said thousands of computers across the EU and the United States have already been infected over the past few weeks. Majority of these infections occurred in September alone.