Since the Astaroth fileless attack was released in July this year, Microsoft has once again revealed a new wave of Nodersok file-free attacks recently. The hackers also use legitimate tools to launch attacks in order to convert infected systems into proxies and perform click-fraud. It is estimated that thousands of Windows computers have been wrapped up.
Nodersok attacks do not infect any files on the device, and do not leave traces on the hard disk. It is only a series of infections are launched through legitimate tools.
Microsoft said that Nodersok, like Astaroth, performs every step of the infection chain only on legitimate tools, whether it’s the built-in mshta.exe and powershell.exe, or node.exe and Windivert.dll/sys downloaded from a third-party website. The functionalities that come with these scripts or Shellcodes appear encrypted form. They then are decrypted, and executed only in memory. No malicious code is written to the hard disk.
Microsoft discovered the Nodersok attack in mid-July this year and launched an investigation because it detected an abnormality in the use of mshta.exe. Now Nodersok’s main goal is to target the average consumer in the US and Europe.
Published by Emerson L. Sullivan & last updated on September 30, 2019 8:08 am