Since the Astaroth fileless attack was released in July this year, Microsoft has once again revealed a new wave of Nodersok file-free attacks recently. The hackers also use legitimate tools to launch attacks in order to convert infected systems into proxies and perform click-fraud. It is estimated that thousands of Windows computers have been wrapped up.
Nodersok attacks do not infect any files on the device, and do not leave traces on the hard disk. It is only a series of infections are launched through legitimate tools.
The Nodersok attack begins with the user downloading and executing an HTML program (HTA) by clicking or browsing a malicious advertisement, while the JavaScript code hidden in the HTA file downloads another JavaScript file from the C&C server. Next, it downloads an encrypted MP4 file that contains the PowerShell command. After decrypting, it uses the PowerShell command to download the module and other modules that can disable Windows Defender Antivirus. The last thing left is to turn the victim computer into a proxy and JavaScript module based on the Node.JS framework.
Microsoft said that Nodersok, like Astaroth, performs every step of the infection chain only on legitimate tools, whether it’s the built-in mshta.exe and powershell.exe, or node.exe and Windivert.dll/sys downloaded from a third-party website. The functionalities that come with these scripts or Shellcodes appear encrypted form. They then are decrypted, and executed only in memory. No malicious code is written to the hard disk.
If you remove the legitimate tools that Nodersok uses, the left malicious files are the original HTA file, the final JavaScript module, and a large number of encrypted files.
Microsoft discovered the Nodersok attack in mid-July this year and launched an investigation because it detected an abnormality in the use of mshta.exe. Now Nodersok’s main goal is to target the average consumer in the US and Europe.
Published by on October 2, 2019 7:08 am, last updated on September 30, 2019 8:08 am
Leave a Reply
You must be logged in to post a comment.