Microsoft has warned that thousands of Windows computers around the world will be infected with a new breed of malware that downloads and installs a version of the widely used framework (Node.js) to turn infected systems into agents and scam via Clicks.
The malware, called Nodersok in the Microsoft report and Divergent in the Cisco Talos report, was first detected during the summer and distributed through malicious ads that forcibly downloaded HTA (HTML application) files on users’ computers.
Users who found and turned on these HTA files began a multi-stage infection process including Excel, JavaScript, and PowerShell, which eventually downloaded and installed malware (Nodersok).
The malware itself contains multiple components, each with its own role, a PowerShell module that tries to disable Windows Defender and Windows Update, and a component to enhance malware permissions to the system level.
There are also two components of legitimate applications: WinDivert, an application for capturing and interacting with network packets, and (Node.js), a developer tool known to run JavaScript on web servers.
According to Microsoft and Cisco reports, malware uses WinDivert and Node.js on infected host computers to turn them into proxies for malicious activities.
Microsoft claims that malware converts infected host computers into agents to transmit malicious data, while Cisco says malware uses infected host computers for click fraud.
Nodersok owners can distribute other modules to perform additional tasks at any time, or even distribute secondary malware, such as ransomware – or banking Trojans.
To avoid infection altogether, Microsoft advises people not to play HTA files on their systems, especially if they do not know the exact source of the files.
According to Microsoft: Nodersok has managed to infect thousands of devices in the past few weeks, and the company said: Most of the infections occurred this month and infected users in the United States and the European Union.
Source : Microsoft